kernel-packages team mailing list archive

Thread
Date

[Bug 1555321] Re: kernel should support disabling CLONE_NEWUSER via sysctl

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1555321@xxxxxxxxxxxxxxxxxx>
Date: Wed, 09 Mar 2016 20:24:16 -0000
Reply-to: Bug 1555321 <1555321@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: linux (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555321

Title:
  kernel should support disabling CLONE_NEWUSER via sysctl

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  Unprivileged user namespaces gives an unprivileged user access to a
  large set of kernel functionality and interfaces that has historically
  not been carefully vetted for security issues, as it required a user
  with trusted privileges to access. This has lead to a number of
  security issues around mounting filesystems and other areas of the
  kernel.

  We should give administrators the option to disable unprivileged user
  namespaces via a sysctl if they have no need for it, to allow them to
  reduce their threat surface. The patch at
  http://www.openwall.com/lists/kernel-hardening/2016/01/28/8 does so.
  (debian is currently carrying a similar patch
  https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian
  /add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-
  default.patch?h=sid ).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555321/+subscriptions

References

[Bug 1555321] [NEW] kernel should support disabling CLONE_NEWUSER via sysctl
From: Steve Beattie, 2016-03-09