From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755898AbcAWApV (ORCPT ); Fri, 22 Jan 2016 19:45:21 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:38235 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753117AbcAWApS (ORCPT ); Fri, 22 Jan 2016 19:45:18 -0500 Date: Sat, 23 Jan 2016 00:44:49 +0000 From: Serge Hallyn To: Kees Cook Cc: Robert =?utf-8?B?xZp3acSZY2tp?= , Ben Hutchings , Andrew Morton , Al Viro , Richard Weinberger , "Eric W. Biederman" , Andy Lutomirski , Dmitry Vyukov , David Howells , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Sasha Levin , "linux-doc@vger.kernel.org" , LKML , "kernel-hardening@lists.openwall.com" Subject: Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled Message-ID: <20160123004449.GB23632@ubuntumail> References: <1453502345-30416-1-git-send-email-keescook@chromium.org> <1453502345-30416-3-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Kees Cook (keescook@chromium.org): > On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: > > 2016-01-22 23:50 GMT+01:00 Kees Cook : > > > >>> Seems that Debian and some older Ubuntu versions are already using > >>> > >>> $ sysctl -a | grep usern > >>> kernel.unprivileged_userns_clone = 0 > >>> > >>> Shall we be consistent wit it? > >> > >> Oh! I didn't see that on systems I checked. On which version did you find that? > > > > $ uname -a > > Linux bc1 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1 > > (2016-01-07) x86_64 GNU/Linux > > $ cat /etc/debian_version > > 8.2 > > Ah-ha, Debian only, though it looks like this was just committed to > the Ubuntu kernel tree too: > > > > IIRC some older kernels delivered with Ubuntu Precise were also using > > it (but maybe I'm mistaken) > > I don't see it there. > > I think my patch is more complete, but I'm happy to change the name if > this sysctl has already started to enter the global consciousness. ;) > > Serge, Ben, what do you think? Oh, sorry - as for the name of it, what is the alternative you are proposing? From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com Date: Sat, 23 Jan 2016 00:44:49 +0000 From: Serge Hallyn Message-ID: <20160123004449.GB23632@ubuntumail> References: <1453502345-30416-1-git-send-email-keescook@chromium.org> <1453502345-30416-3-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Subject: [kernel-hardening] Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled To: Kees Cook Cc: Robert =?utf-8?B?xZp3acSZY2tp?= , Ben Hutchings , Andrew Morton , Al Viro , Richard Weinberger , "Eric W. Biederman" , Andy Lutomirski , Dmitry Vyukov , David Howells , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Sasha Levin , "linux-doc@vger.kernel.org" , LKML , "kernel-hardening@lists.openwall.com" List-ID: Quoting Kees Cook (keescook@chromium.org): > On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: > > 2016-01-22 23:50 GMT+01:00 Kees Cook : > > > >>> Seems that Debian and some older Ubuntu versions are already using > >>> > >>> $ sysctl -a | grep usern > >>> kernel.unprivileged_userns_clone = 0 > >>> > >>> Shall we be consistent wit it? > >> > >> Oh! I didn't see that on systems I checked. On which version did you find that? > > > > $ uname -a > > Linux bc1 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1 > > (2016-01-07) x86_64 GNU/Linux > > $ cat /etc/debian_version > > 8.2 > > Ah-ha, Debian only, though it looks like this was just committed to > the Ubuntu kernel tree too: > > > > IIRC some older kernels delivered with Ubuntu Precise were also using > > it (but maybe I'm mistaken) > > I don't see it there. > > I think my patch is more complete, but I'm happy to change the name if > this sysctl has already started to enter the global consciousness. ;) > > Serge, Ben, what do you think? Oh, sorry - as for the name of it, what is the alternative you are proposing?