LWN.net Logo

Anatomy of a user namespaces vulnerability

Anatomy of a user namespaces vulnerability

Posted Mar 21, 2013 0:57 UTC (Thu) by dlang (✭ supporter ✭, #313)
In reply to: Anatomy of a user namespaces vulnerability by butlerm
Parent article: Anatomy of a user namespaces vulnerability

I also wonder about these 'odd' combinations.

One thing I've found is that any time I tend to think "there's no reason for anyone to use _that_ combination", someone ends up running into a case where it's exactly the right thing to use.

You almost need these things to be configurable. The problem is in figuring out how to do that without imposing unacceptable overhead in every fork() call.

I wonder if the 'traditional' flags and combinations could be whitelisted into a very fast special case, and combinations that use the new flags/features branch off to a more flexible/detailed set of checks that may be a bit slower.


(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds