On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote: > On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki <rob...@swiecki.net> wrote: > > 2016-01-22 23:50 GMT+01:00 Kees Cook <keesc...@chromium.org>: > > > > > > Seems that Debian and some older Ubuntu versions are already using > > > > > > > > $ sysctl -a | grep usern > > > > kernel.unprivileged_userns_clone = 0 > > > > > > > > Shall we be consistent wit it? > > > > > > Oh! I didn't see that on systems I checked. On which version did you find > > > that? > > > > $ uname -a > > Linux bc1 4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-5~bpo8+1 > > (2016-01-07) x86_64 GNU/Linux > > $ cat /etc/debian_version > > 8.2 > > Ah-ha, Debian only, though it looks like this was just committed to > the Ubuntu kernel tree too: > > > > IIRC some older kernels delivered with Ubuntu Precise were also using > > it (but maybe I'm mistaken) > > I don't see it there. > > I think my patch is more complete, but I'm happy to change the name if > this sysctl has already started to enter the global consciousness. ;) > > Serge, Ben, what do you think?
I agree that using the '_restrict' suffix for new restrictions makes
sense. I also don't think that a third possible value for
kernel.unprivileged_userns_clone would would be understandable.
I would probably make kernel.unprivileged_userns_clone a wrapper for
kernel.userns_restrict in Debian, then deprecate and eventually remove
it.
Ben.
--
Ben Hutchings
Life is what happens to you while you're busy making other plans.
- John Lennon
signature.asc
Description: This is a digitally signed message part
