** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Tags added: kernel-da-key
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1555321 Title: kernel should support disabling CLONE_NEWUSER via sysctl Status in linux package in Ubuntu: Confirmed Bug description: Unprivileged user namespaces gives an unprivileged user access to a large set of kernel functionality and interfaces that has historically not been carefully vetted for security issues, as it required a user with trusted privileges to access. This has lead to a number of security issues around mounting filesystems and other areas of the kernel. We should give administrators the option to disable unprivileged user namespaces via a sysctl if they have no need for it, to allow them to reduce their threat surface. The patch at http://www.openwall.com/lists/kernel-hardening/2016/01/28/8 does so. (debian is currently carrying a similar patch https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian /add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by- default.patch?h=sid ). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555321/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
