On Mon, Mar 7, 2016 at 9:15 PM, Andy Lutomirski <l...@amacapital.net> wrote: > Hi all- > > There are several users and distros that are nervous about user > namespaces from an attack surface point of view. > > - RHEL and Arch have userns disabled. > > - Ubuntu requires CAP_SYS_ADMIN > > - Kees periodically proposes to upstream some sysctl to control > userns creation.
And here's another ring0 escalation flaw, made available to unprivileged users because of userns: https://code.google.com/p/google-security-research/issues/detail?id=758 > I think there are three main types of concerns. First, there might be > some as-yet-unknown semantic issues that would allow privilege > escalation by users who create user namespaces and then confuse > something else in the system. Second, enabling user namespaces > exposes a lot of attack surface to unprivileged users. Third, > allowing tasks to create user namespaces exposes the kernel to various > resource exhaustion attacks that wouldn't be possible otherwise. > > Since I doubt we'll ever fully address the attack surface issue at > least, would it make sense to try to come up with an upstreamable way > to limit who can create new user namespaces and/or do various > dangerous things with them? The change in attack surface is _substantial_. We must have a way to globally disable userns. -Kees -- Kees Cook Chrome OS & Brillo Security
