kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #166062
[Bug 1555321] [NEW] kernel should support disabling CLONE_NEWUSER via sysctl
*** This bug is a security vulnerability ***
Public security bug reported:
Unprivileged user namespaces gives an unprivileged user access to a
large set of kernel functionality and interfaces that has historically
not been carefully vetted for security issues, as it required a user
with trusted privileges to access. This has lead to a number of security
issues around mounting filesystems and other areas of the kernel.
We should give administrators the option to disable unprivileged user
namespaces via a sysctl if they have no need for it, to allow them to
reduce their threat surface. The patch at http://www.openwall.com/lists
/kernel-hardening/2016/01/28/8 does so. (debian is currently carrying a
similar patch
https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian
/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-
default.patch?h=sid ).
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555321
Title:
kernel should support disabling CLONE_NEWUSER via sysctl
Status in linux package in Ubuntu:
Confirmed
Bug description:
Unprivileged user namespaces gives an unprivileged user access to a
large set of kernel functionality and interfaces that has historically
not been carefully vetted for security issues, as it required a user
with trusted privileges to access. This has lead to a number of
security issues around mounting filesystems and other areas of the
kernel.
We should give administrators the option to disable unprivileged user
namespaces via a sysctl if they have no need for it, to allow them to
reduce their threat surface. The patch at
http://www.openwall.com/lists/kernel-hardening/2016/01/28/8 does so.
(debian is currently carrying a similar patch
https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian
/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-
default.patch?h=sid ).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555321/+subscriptions
Follow ups