oss-sec mailing list archives
Re: Re: Linux user namespaces can bypass group-based restrictions
From: Simon McVittie <smcv () debian org>
Date: Thu, 20 Nov 2014 11:39:37 +0000
On 20/11/14 08:49, Vitor Ventura wrote:
I was wondering if this might pose a problem to android's application file sandboxing. If an application can run a native lib that could exploits this it might have access to other aplication files.
Only if Android has groups that act as "anti-capabilities", i.e. members of the group are less privileged than non-members. For instance, if I remember correctly, the grsecurity patchset has (or used to have) the ability to deny networking to members of a designated group while allowing it for everyone else. I don't know of any groups in Android that are anti-capabilities, and nothing in <http://osxr.org/android/source/system/core/include/private/android_filesystem_config.h> looks like an obvious anti-capability. Do you know of any? S
Current thread:
- Linux user namespaces can bypass group-based restrictions Andy Lutomirski (Nov 17)
- Re: Linux user namespaces can bypass group-based restrictions Andy Lutomirski (Nov 19)
- Re: Re: Linux user namespaces can bypass group-based restrictions Vitor Ventura (Nov 20)
- Re: Re: Linux user namespaces can bypass group-based restrictions Simon McVittie (Nov 20)
- Re: Re: Linux user namespaces can bypass group-based restrictions Vitor Ventura (Nov 20)
- Re: Linux user namespaces can bypass group-based restrictions - Linux kernel cve-assign (Nov 19)
- Re: Linux user namespaces can bypass group-based restrictions Andy Lutomirski (Nov 19)