A security-module hook for user-namespace creation
A security-module hook for user-namespace creation
Posted Aug 8, 2022 20:03 UTC (Mon) by jrjohansen (subscriber, #75010)In reply to: A security-module hook for user-namespace creation by Cyberax
Parent article: A security-module hook for user-namespace creation
>
> This doesn't prevent the exploit that allows the attacker to run arbirtrary code, but it prevents this arbitrary code from gaining root right away. Assuming no other exploits.
of course it can't stop or fix every flaw/CVE in an application, but it did do its job of containing said flaw and prevented it from becoming a root exploit. Yes there could be another way to elevate to root that is always a possibility unless you can mathematically prove otherwise, but it did stop this one.
> > CVE-2017-6074
>
> This is BS. Basically, "you can use SELinux to prohibit loading of modules". You can also just delete them, it's not a mitigation.
Yes it is. Sure there are other ways to block modules from loading: building the kernel without module support, lockdown (also an LSM), loadpin (also an LSM). What SELinux brings is context, where some services are still allowed to load modules, because the broader solutions don't work for some environments.
> > CVE-2019-5736
>
> This was the only real non-trivial one from your list, and in this case the proper fix is to use user namespaces.
The proper fix is always to patch/rewrite the software to remove the vulnerability, that doesn't take away from SELinux doing its job here.
> All in all, very few exploits are truly prevented by SELinux. It sometimes makes it harder for attacker to gain wider access.
Security is about layers and making it harder for an attacker is a win. No SELinux won't fix programs that have exploits in them, but neither do user namespaces.