oss-sec mailing list archives

Re: New Linux kernel NetFilter flaw gives attackers root privileges

From: Florian Weimer <fweimer () redhat com>
Date: Thu, 11 May 2023 17:20:20 +0200

* Tobias Heider:

Another thing worth mentioning is that the apparmor team has done some very
interesting work on providing finer control over unprivileged user namespaces
on a per application basis:
https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction

This would allow having opt-in unprivileged userns support only for
confined and explicitly permitted applications and could hopefully
drastically reduce the impact of similar bugs in the future.


Doesn't unprivileged chroot need user namespace support?  So a side
effect of disabling it might be to force applications to switch to
userspace emulation of pathname lookup.  That doesn't seem like a good
tradeoff?

Thanks,
Florian

Current thread:

New Linux kernel NetFilter flaw gives attackers root privileges Turritopsis Dohrnii Teo En Ming (May 10)
- Re: New Linux kernel NetFilter flaw gives attackers root privileges Solar Designer (May 10)
  - Re: New Linux kernel NetFilter flaw gives attackers root privileges Piotr Krysiuk (May 10)
    - Re: New Linux kernel NetFilter flaw gives attackers root privileges Solar Designer (May 10)
  - Re: New Linux kernel NetFilter flaw gives attackers root privileges Thadeu Lima de Souza Cascardo (May 10)
    - Re: New Linux kernel NetFilter flaw gives attackers root privileges Tobias Heider (May 10)
    - Re: New Linux kernel NetFilter flaw gives attackers root privileges David Leadbeater (May 11)
    - Re: New Linux kernel NetFilter flaw gives attackers root privileges Florian Weimer (May 11)