[PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled

From: Kees Cook
Date: Fri Jan 22 2016 - 17:39:39 EST

Next message: Kees Cook: "[PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin"
Previous message: Kees Cook: "[PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled"
Next in thread: Kees Cook: "[PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There continues to be unexpected side-effects and security exposures
via CLONE_NEWUSER. For many end-users running distro kernels with
CONFIG_USER_NS enabled, there is no way to disable this feature when
desired. As such, this creates a sysctl to restrict CLONE_NEWUSER so
admins not running containers or Chrome can avoid the risks of this
feature.

-Kees

Next message: Kees Cook: "[PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin"
Previous message: Kees Cook: "[PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled"
Next in thread: Kees Cook: "[PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]