LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Anatomy of a user namespaces vulnerability

Anatomy of a user namespaces vulnerability

Posted Mar 21, 2013 0:57 UTC (Thu) by dlang (✭ supporter ✭, #313)
In reply to: Anatomy of a user namespaces vulnerability by butlerm
Parent article: Anatomy of a user namespaces vulnerability

I also wonder about these 'odd' combinations.

One thing I've found is that any time I tend to think "there's no reason for anyone to use _that_ combination", someone ends up running into a case where it's exactly the right thing to use.

You almost need these things to be configurable. The problem is in figuring out how to do that without imposing unacceptable overhead in every fork() call.

I wonder if the 'traditional' flags and combinations could be whitelisted into a very fast special case, and combinations that use the new flags/features branch off to a more flexible/detailed set of checks that may be a bit slower.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds