Fixed in Ubuntu-4.4.0-9.24 by https://git.launchpad.net/~ubuntu-
kernel/ubuntu/+source/linux/+git/xenial/commit/?id=92e575e769cc50a9bfb50fb58fe94aab4f2a2bff
** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555321
Title:
kernel should support disabling CLONE_NEWUSER via sysctl
Status in linux package in Ubuntu:
Fix Released
Bug description:
Unprivileged user namespaces gives an unprivileged user access to a
large set of kernel functionality and interfaces that has historically
not been carefully vetted for security issues, as it required a user
with trusted privileges to access. This has lead to a number of
security issues around mounting filesystems and other areas of the
kernel.
We should give administrators the option to disable unprivileged user
namespaces via a sysctl if they have no need for it, to allow them to
reduce their threat surface. The patch at
http://www.openwall.com/lists/kernel-hardening/2016/01/28/8 does so.
(debian is currently carrying a similar patch
https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/debian
/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-
default.patch?h=sid ).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555321/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
