[PATCH v2 4/4] selinux: Implement create_user_ns hook

Paul Moore paul at paul-moore.com
Wed Jul 20 14:52:23 UTC 2022


On Tue, Jul 19, 2022 at 10:42 PM Karl MacMillan
<karl at bigbadwolfsecurity.com> wrote:
> On Thu, Jul 7, 2022 at 6:34 PM Frederick Lawler <fred at cloudflare.com> wrote:
>>
>> Unprivileged user namespace creation is an intended feature to enable
>> sandboxing, however this feature is often used to as an initial step to
>> perform a privilege escalation attack.
>>
>> This patch implements a new namespace { userns_create } access control
>> permission to restrict which domains allow or deny user namespace
>> creation. This is necessary for system administrators to quickly protect
>> their systems while waiting for vulnerability patches to be applied.
>>
>> This permission can be used in the following way:
>>
>>         allow domA_t domB_t : namespace { userns_create };
>
>
> Isn’t this actually domA_t domA_t : namespace . . .
>
> I got confused reading this initially trying to figure out what the second domain type would be, but looking at the code cleared that up.

Ah, good catch, thanks Karl!

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list