Control: tag -1 - moreinfo On Sun, 2018-05-13 at 19:19 +0200, Frederik Himpe wrote: > On Sun, 13 May 2018 00:33:02 +0100 Ben Hutchings <b...@decadent.org.uk> > wrote: > > Control: tag -1 moreinfo > > > > On Fri, 2018-05-11 at 20:44 +0200, Laurent Bigonville wrote: > > > Source: linux > > > Version: 4.16.5-1 > > > Severity: normal > > > > > > Hi, > > > > > > Firefox (and probably other applications) are using user namespaces these > > > days to enhance the security. > > > > Can you provide some information about this? > > There is some info here: > https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html
Quoting from there: > This [..] complements the existing sandbox: in addition to blocking > specific system calls like `open` and `connect`, we can prevent > filesystem/network access no matter how it is requested. This is part > of our defense in depth: if a clever attacker manages to bypass one > layer of protection, that still won't be enough to compromise the > system. So it seems that for Firefox user namespaces are nice to have, but not critical for the sandbox. Ben. -- Ben Hutchings For every action, there is an equal and opposite criticism. - Harrison
signature.asc
Description: This is a digitally signed message part