oss-sec mailing list archives
Re: New Linux kernel NetFilter flaw gives attackers root privileges
From: Florian Weimer <fweimer () redhat com>
Date: Thu, 11 May 2023 17:20:20 +0200
* Tobias Heider:
Another thing worth mentioning is that the apparmor team has done some very interesting work on providing finer control over unprivileged user namespaces on a per application basis: https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction This would allow having opt-in unprivileged userns support only for confined and explicitly permitted applications and could hopefully drastically reduce the impact of similar bugs in the future.
Doesn't unprivileged chroot need user namespace support? So a side effect of disabling it might be to force applications to switch to userspace emulation of pathname lookup. That doesn't seem like a good tradeoff? Thanks, Florian
Current thread:
- New Linux kernel NetFilter flaw gives attackers root privileges Turritopsis Dohrnii Teo En Ming (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Solar Designer (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Piotr Krysiuk (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Solar Designer (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Thadeu Lima de Souza Cascardo (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Tobias Heider (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges David Leadbeater (May 11)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Florian Weimer (May 11)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Piotr Krysiuk (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Solar Designer (May 10)