Kees Cook writes:
> Several sysctls expect a state where the highest value (in extra2) is
> locked once set for that boot. Yama does this, and kptr_restrict should
> be doing it. This extracts Yama's logic and adds it to the existing
> proc_dointvec_minmax_sysadmin, taking care to avoid the simpl
Kees Cook writes:
> There continues to be unexpected side-effects and security exposures
> via CLONE_NEWUSER. For many end-users running distro kernels with
> CONFIG_USER_NS enabled, there is no way to disable this feature when
> desired. As such, this creates a sysctl to restrict CLONE_NEWUSER s
On Thu, Jan 21, 2016 at 11:34:26AM -0600, ttha...@opensource.altera.com wrote:
> From: Thor Thayer
>
> Adding the device tree entries and bindings needed to support
> the Altera L2 cache and On-Chip RAM EDAC. This patch relies upon
> an earlier patch to declare and setup On-chip RAM properly.
> h
On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote:
> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote:
> > 2016-01-22 23:50 GMT+01:00 Kees Cook :
> >
> > > > Seems that Debian and some older Ubuntu versions are already using
> > > >
> > > > $ sysctl -a | grep usern
> > > > kernel.unprivile
Quoting Kees Cook (keesc...@chromium.org):
> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote:
> > 2016-01-22 23:50 GMT+01:00 Kees Cook :
> >
> >>> Seems that Debian and some older Ubuntu versions are already using
> >>>
> >>> $ sysctl -a | grep usern
> >>> kernel.unprivileged_userns_clone =
Quoting Kees Cook (keesc...@chromium.org):
> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote:
> > 2016-01-22 23:50 GMT+01:00 Kees Cook :
> >
> >>> Seems that Debian and some older Ubuntu versions are already using
> >>>
> >>> $ sysctl -a | grep usern
> >>> kernel.unprivileged_userns_clone =
On Fri, Jan 22, 2016 at 5:37 PM, atull wrote:
> On Fri, 22 Jan 2016, Moritz Fischer wrote:
>
>> Alan,
>>
>> On Wed, Jan 20, 2016 at 8:24 PM, wrote:
>>
>> > +static int fpga_area_probe(struct platform_device *pdev)
>> > +{
>> > + struct device *dev = &pdev->dev;
>> > + struct device_n
On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote:
> 2016-01-22 23:50 GMT+01:00 Kees Cook :
>
>>> Seems that Debian and some older Ubuntu versions are already using
>>>
>>> $ sysctl -a | grep usern
>>> kernel.unprivileged_userns_clone = 0
>>>
>>> Shall we be consistent wit it?
>>
>> Oh! I didn
2016-01-22 23:50 GMT+01:00 Kees Cook :
>> Seems that Debian and some older Ubuntu versions are already using
>>
>> $ sysctl -a | grep usern
>> kernel.unprivileged_userns_clone = 0
>>
>> Shall we be consistent wit it?
>
> Oh! I didn't see that on systems I checked. On which version did you find
>
On Fri, Jan 22, 2016 at 2:47 PM, Robert Święcki wrote:
> Seems that Debian and some older Ubuntu versions are already using
>
> $ sysctl -a | grep usern
> kernel.unprivileged_userns_clone = 0
>
> Shall we be consistent wit it?
Oh! I didn't see that on systems I checked. On which version did you f
Am 22.01.2016 um 23:39 schrieb Kees Cook:
> There continues to be unexpected side-effects and security exposures
> via CLONE_NEWUSER. For many end-users running distro kernels with
> CONFIG_USER_NS enabled, there is no way to disable this feature when
> desired. As such, this creates a sysctl to re
Seems that Debian and some older Ubuntu versions are already using
$ sysctl -a | grep usern
kernel.unprivileged_userns_clone = 0
Shall we be consistent wit it?
2016-01-22 23:39 GMT+01:00 Kees Cook :
> There continues to be many CONFIG_USER_NS related security exposures.
> For admins running dist
Several sysctls expect a state where the highest value (in extra2) is
locked once set for that boot. Yama does this, and kptr_restrict should
be doing it. This extracts Yama's logic and adds it to the existing
proc_dointvec_minmax_sysadmin, taking care to avoid the simple boolean
states (which do n
There continues to be many CONFIG_USER_NS related security exposures.
For admins running distro kernels with CONFIG_USER_NS, there is no way
to disable CLONE_NEWUSER. As many systems do not need CLONE_NEWUSER,
this provides a way for sysadmins to disable the feature.
This is inspired by a similar
There continues to be unexpected side-effects and security exposures
via CLONE_NEWUSER. For many end-users running distro kernels with
CONFIG_USER_NS enabled, there is no way to disable this feature when
desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so
admins not running contain
On 01/22/2016 12:08 PM, Borislav Petkov wrote:
On Fri, Jan 22, 2016 at 06:56:57PM +0200, Vladimir Zapolskiy wrote:
it sounds like the author of the original change is Dinh, but if you agreed
about authorship transfer, then "From: Thor Thayer" statement should be
correct, but in any case your S
On Fri, Jan 22, 2016 at 06:56:57PM +0200, Vladimir Zapolskiy wrote:
> it sounds like the author of the original change is Dinh, but if you agreed
> about authorship transfer, then "From: Thor Thayer" statement should be
> correct, but in any case your SoB should follow Dinh's SoB, if you decide to
Hi Thor,
On 22.01.2016 17:35, Thor Thayer wrote:
> Hi Vladimir,
>
>
> On 01/22/2016 12:02 AM, Vladimir Zapolskiy wrote:
>> Hi Thor,
>>
>> On 21.01.2016 19:34, ttha...@opensource.altera.com wrote:
>>> From: Thor Thayer
>>>
>>> Adding L2 Cache and On-Chip RAM EDAC support for the
>>> Altera SoCs
On Fri, 22 Jan 2016, Moritz Fischer wrote:
> Alan,
>
> On Wed, Jan 20, 2016 at 8:24 PM, wrote:
>
> > +static int fpga_area_probe(struct platform_device *pdev)
> > +{
> > + struct device *dev = &pdev->dev;
> > + struct device_node *np = dev->of_node;
> > + struct fpga_area *ar
On Thu, Jan 14, 2016 at 03:46:05PM +0200, Rami Rosen wrote:
> This patch removes the text relating to compiling cgroup as a module,
> since commit 3ed80a62bf95 ("cgroup: drop module support") makes this text not
> relevant anymore.
>
> Signed-off-by: Rami Rosen
Applied to cgroup/for-4.5-fixes.
Hi Vladimir,
On 01/22/2016 12:02 AM, Vladimir Zapolskiy wrote:
Hi Thor,
On 21.01.2016 19:34, ttha...@opensource.altera.com wrote:
From: Thor Thayer
Adding L2 Cache and On-Chip RAM EDAC support for the
Altera SoCs using the EDAC device model. The SDRAM
controller is using the Memory Control
Alan,
On Wed, Jan 20, 2016 at 8:24 PM, wrote:
> +static int fpga_area_probe(struct platform_device *pdev)
> +{
> + struct device *dev = &pdev->dev;
> + struct device_node *np = dev->of_node;
> + struct fpga_area *area;
> + int ret;
> +
> + area = devm_kzalloc(dev,
22 matches
Mail list logo
