Here we go, another one, it seems: CVE-2022-2588 (https://seclists.org/oss-sec/2022/q3/115)
Seems I'm not the only one who's quite concerned about the ongoing security impact of user namspaces, as the recent/current discussion about some LSM patches for 6.1 shows: https://lwn.net/ml/linux-kernel/CAHk-=wicqicqrnqpehbdf7eckhk_ceyzzk5dyq7y5nztzhp...@mail.gmail.com/#t Quoting Linus: > And I think you are in denial about how many problems the > user-namespace stuff has caused. > > Distros are literally turning it off entirely because the whole "let > users create their own namespace" has *NOT* been a great success. > > I personally think it was a mistake. We're stuck with it, but we most > definitely need knobs to manage it that isn't just "enable/disable > USER_NS" in the kernel config. > > So this whole "don't do this" approach you have is not acceptable. > > 99% of all code does NOT WANT the user namespace thing, and it's been > a big new attack surface for the kernel getting things subtly wrong. It's still a shame to see that Debian intentionally sacrifices the security of *all* users just for the needs of very few. Regards, Philippe.
