Am 22.01.2016 um 23:39 schrieb Kees Cook: > There continues to be unexpected side-effects and security exposures > via CLONE_NEWUSER. For many end-users running distro kernels with > CONFIG_USER_NS enabled, there is no way to disable this feature when > desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so > admins not running containers or Chrome can avoid the risks of this > feature.
Last time such a patch came up I was not thrilled because hiding a scary feature behind a knob IMHO doesn't make it any better nor helps finding issues. But as userns is still a source of a lot of issues and distros enable it by default a knob for the admin seems to be a good idea by now. ;-\ Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
