Re: [kernel-hardening] Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

On Sun, Jan 24, 2016 at 2:20 PM, Andy Lutomirski wrote: > On Sun, Jan 24, 2016 at 12:59 PM, Kees Cook wrote: >> On Fri, Jan 22, 2016 at 4:59 PM, Ben Hutchings wrote: >>> On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote: On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: > 2016-0

Re: [kernel-hardening] Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

On Sun, Jan 24, 2016 at 12:59 PM, Kees Cook wrote: > On Fri, Jan 22, 2016 at 4:59 PM, Ben Hutchings wrote: >> On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote: >>> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: >>> > 2016-01-22 23:50 GMT+01:00 Kees Cook : >>> > >>> > > > Seems that Deb

Re: [kernel-hardening] Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

On Fri, Jan 22, 2016 at 4:59 PM, Ben Hutchings wrote: > On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote: >> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: >> > 2016-01-22 23:50 GMT+01:00 Kees Cook : >> > >> > > > Seems that Debian and some older Ubuntu versions are already using >> > >

Re: [kernel-hardening] Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote: > On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: > > 2016-01-22 23:50 GMT+01:00 Kees Cook : > > > > > > Seems that Debian and some older Ubuntu versions are already using > > > > > > > > $ sysctl -a | grep usern > > > > kernel.unprivile

Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

Quoting Kees Cook (keesc...@chromium.org): > On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: > > 2016-01-22 23:50 GMT+01:00 Kees Cook : > > > >>> Seems that Debian and some older Ubuntu versions are already using > >>> > >>> $ sysctl -a | grep usern > >>> kernel.unprivileged_userns_clone =

Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

Quoting Kees Cook (keesc...@chromium.org): > On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: > > 2016-01-22 23:50 GMT+01:00 Kees Cook : > > > >>> Seems that Debian and some older Ubuntu versions are already using > >>> > >>> $ sysctl -a | grep usern > >>> kernel.unprivileged_userns_clone =

Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote: > 2016-01-22 23:50 GMT+01:00 Kees Cook : > >>> Seems that Debian and some older Ubuntu versions are already using >>> >>> $ sysctl -a | grep usern >>> kernel.unprivileged_userns_clone = 0 >>> >>> Shall we be consistent wit it? >> >> Oh! I didn

Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

2016-01-22 23:50 GMT+01:00 Kees Cook : >> Seems that Debian and some older Ubuntu versions are already using >> >> $ sysctl -a | grep usern >> kernel.unprivileged_userns_clone = 0 >> >> Shall we be consistent wit it? > > Oh! I didn't see that on systems I checked. On which version did you find >

Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

On Fri, Jan 22, 2016 at 2:47 PM, Robert Święcki wrote: > Seems that Debian and some older Ubuntu versions are already using > > $ sysctl -a | grep usern > kernel.unprivileged_userns_clone = 0 > > Shall we be consistent wit it? Oh! I didn't see that on systems I checked. On which version did you f

Re: [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled

Seems that Debian and some older Ubuntu versions are already using $ sysctl -a | grep usern kernel.unprivileged_userns_clone = 0 Shall we be consistent wit it? 2016-01-22 23:39 GMT+01:00 Kees Cook : > There continues to be many CONFIG_USER_NS related security exposures. > For admins running dist