On Thu, Oct 22, 2015 at 1:45 PM, Eric W. Biederman
wrote:
>
> Thank you for a creative solution to a problem that you perceive. I
> appreciate it when people aim to solve problems they see.
>
> Tobias Markus writes:
>
>> On 17.10.2015 23:55, Serge E.
Andy Lutomirski writes:
> At the risk of pointing out a can of worms, the attack surface also
> includes things like the iptables configuration APIs, parsers, and
> filter/conntrack/action modules.
It is worth noting that module auto-load does not happen if the
triggering
On Oct 19, 2015 7:25 AM, "Austin S Hemmelgarn" wrote:
>
> On 2015-10-17 11:58, Tobias Markus wrote:
>>
>> Add capability CAP_SYS_USER_NS.
>> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace
>> when calling clone or unshare with CLONE_NEWUSER.
>>
>>
Am 19.10.2015 um 14:36 schrieb Yves-Alexis Perez:
> On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote:
>> We shouldn't need a long-term solution. Your concern is bugs. After
>> some time surely we'll feel that we have achieved a stable solution?
>
> But this is actually the whole point:
On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote:
> We shouldn't need a long-term solution. Your concern is bugs. After
> some time surely we'll feel that we have achieved a stable solution?
But this is actually the whole point: we need a long term solution, because
they will always be
On 2015-10-17 11:58, Tobias Markus wrote:
Add capability CAP_SYS_USER_NS.
Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace
when calling clone or unshare with CLONE_NEWUSER.
Rationale:
Linux 3.8 saw the introduction of unpriviledged user namespaces,
allowing unpriviledged
Am 18.10.2015 um 22:41 schrieb Tobias Markus:
> On 18.10.2015 22:21, Richard Weinberger wrote:
>> Am 18.10.2015 um 22:13 schrieb Tobias Markus:
>>> On 17.10.2015 22:17, Richard Weinberger wrote:
On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote:
> One question
Am 18.10.2015 um 22:13 schrieb Tobias Markus:
> On 17.10.2015 22:17, Richard Weinberger wrote:
>> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote:
>>> One question remains though: Does this break userspace executables that
>>> expect being able to create user namespaces
On 18.10.2015 22:21, Richard Weinberger wrote:
> Am 18.10.2015 um 22:13 schrieb Tobias Markus:
>> On 17.10.2015 22:17, Richard Weinberger wrote:
>>> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote:
One question remains though: Does this break userspace executables that
On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote:
> One question remains though: Does this break userspace executables that
> expect being able to create user namespaces without priviledge? Since
> creating user namespaces without CAP_SYS_ADMIN was not possible before
>
On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote:
> Add capability CAP_SYS_USER_NS.
> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace
> when calling clone or unshare with CLONE_NEWUSER.
>
> Rationale:
>
> Linux 3.8 saw the introduction of unpriviledged user
11 matches
Mail list logo