← Back to team overview

kernel-packages team mailing list archive

[Bug 1555321] [NEW] kernel should support disabling CLONE_NEWUSER via sysctl

 

*** This bug is a security vulnerability ***

Public security bug reported:

Unprivileged user namespaces gives an unprivileged user access to a
large set of kernel functionality and interfaces that has historically
not been carefully vetted for security issues, as it required a user
with trusted privileges to access. This has lead to a number of security
issues around mounting filesystems and other areas of the kernel.

We should give administrators the option to disable unprivileged user
namespaces via a sysctl if they have no need for it, to allow them to
reduce their threat surface. The patch at http://www.openwall.com/lists
/kernel-hardening/2016/01/28/8 does so. (debian is currently carrying a
similar patch
https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian
/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-
default.patch?h=sid ).

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555321

Title:
  kernel should support disabling CLONE_NEWUSER via sysctl

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  Unprivileged user namespaces gives an unprivileged user access to a
  large set of kernel functionality and interfaces that has historically
  not been carefully vetted for security issues, as it required a user
  with trusted privileges to access. This has lead to a number of
  security issues around mounting filesystems and other areas of the
  kernel.

  We should give administrators the option to disable unprivileged user
  namespaces via a sysctl if they have no need for it, to allow them to
  reduce their threat surface. The patch at
  http://www.openwall.com/lists/kernel-hardening/2016/01/28/8 does so.
  (debian is currently carrying a similar patch
  https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian
  /add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-
  default.patch?h=sid ).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555321/+subscriptions


Follow ups