← Back to team overview

kernel-packages team mailing list archive

[Bug 1555321] Re: kernel should support disabling CLONE_NEWUSER via sysctl

 

Fixed in Ubuntu-4.4.0-9.24 by https://git.launchpad.net/~ubuntu-
kernel/ubuntu/+source/linux/+git/xenial/commit/?id=92e575e769cc50a9bfb50fb58fe94aab4f2a2bff

** Changed in: linux (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555321

Title:
  kernel should support disabling CLONE_NEWUSER via sysctl

Status in linux package in Ubuntu:
  Fix Released

Bug description:
  Unprivileged user namespaces gives an unprivileged user access to a
  large set of kernel functionality and interfaces that has historically
  not been carefully vetted for security issues, as it required a user
  with trusted privileges to access. This has lead to a number of
  security issues around mounting filesystems and other areas of the
  kernel.

  We should give administrators the option to disable unprivileged user
  namespaces via a sysctl if they have no need for it, to allow them to
  reduce their threat surface. The patch at
  http://www.openwall.com/lists/kernel-hardening/2016/01/28/8 does so.
  (debian is currently carrying a similar patch
  https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian
  /add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-
  default.patch?h=sid ).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555321/+subscriptions


References