Re: [PATCH] Add ability to disallow idmapped mounts

From: Anton V. Boyarshinov
Date: Fri Feb 04 2022 - 05:26:21 EST

Next message: Barry Song: "Re: [PATCH v2 2/2] sched/fair: Scan cluster before scanning LLC in wake-up path"
Previous message: Michael Ellerman: "Re: [PATCH 1/2] powerpc/signal: Fix handling of SA_RESTORER sigaction flag"
In reply to: Christian Brauner: "Re: [PATCH] Add ability to disallow idmapped mounts"
Next in thread: Christian Brauner: "Re: [PATCH] Add ability to disallow idmapped mounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

В Fri, 4 Feb 2022 10:45:15 +0100
Christian Brauner <brauner@xxxxxxxxxx> пишет:

> If you want to turn off idmapped mounts you can already do so today via:
> echo 0 > /proc/sys/user/max_user_namespaces

It turns off much more than idmapped mounts only. More fine grained
control seems better for me.

> They can neither
> be created as an unprivileged user nor can they be created inside user
> namespaces.

But actions of fully privileged user can open non-obvious ways to
privilege escalation.

Next message: Barry Song: "Re: [PATCH v2 2/2] sched/fair: Scan cluster before scanning LLC in wake-up path"
Previous message: Michael Ellerman: "Re: [PATCH 1/2] powerpc/signal: Fix handling of SA_RESTORER sigaction flag"
In reply to: Christian Brauner: "Re: [PATCH] Add ability to disallow idmapped mounts"
Next in thread: Christian Brauner: "Re: [PATCH] Add ability to disallow idmapped mounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]