Received: by 10.223.164.202 with SMTP id h10csp419091wrb;
        Thu, 9 Nov 2017 08:19:29 -0800 (PST)
X-Google-Smtp-Source: ABhQp+TQ/EefBzV+W8tSC0k35GUqVO+2m7jrKrGu+j2oWe6kN9WGADnROdbmjWyh/JxhrVbxaKhA
X-Received: by 10.98.247.26 with SMTP id h26mr968438pfi.233.1510244369023;
        Thu, 09 Nov 2017 08:19:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510244368; cv=none;
        d=google.com; s=arc-20160816;
        b=SAlx4UaHOKCfXRFM45fPvv5uLZdSzj9ZaJ9ru8zkoVxMPOMS0pBRjY4Az1ju8EIXrG
         hfdKLIfbBjp7GVrZj2qqKepfyhSe/n5AkRqYak8TZKZ4IIDlxO9JryBW+oP7P/9yuIYa
         X30AYwpZ6/2Epc+EgIGJx+5eI0p6UeQd8bUr/XGlZkCHSJFbZIsYUL13XqU9B98/ZHAi
         I9BBig39Sczpi9IgSqE2xqcU+ZnfoaEXZL55oJZHgM4Jy+IikSSI25SfM1dV9zcQvJpM
         sPh/1gSO5IiKm0Dz+j1/F1oQr53Rch7rlJdRGAg+4JwzyE45oJbQCewnJXxxUumd8hMU
         cxsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=IafxghmW4L6fLTBwPqVMHH8hUK5kECpDmHRN+ucYRrU=;
        b=li1AvUlq+xlnLgRMboY62vY5L99KZMvNrNknZeAKPKQ5D5suJiKjdF7lV87C90vYyV
         FM4tRfgfHALfc631rTP8f9AXwIgK1a30GClFSogxEBjQtTIcsduDrtNz9m8LrB0Ia7f1
         bXL12tcjUjL6UU0U8Htr56DgLYX/9QKOM1V19OHxN11QXN5X7GzJGc7pyojvyi1AKSre
         B6jEslrVgXZvPqQjD3qR1AGYgqQRc5A2QfEMPBXvuf+sSXEOWMYac2/wxHDG6i2mCAVy
         CAiTSioWOlmlR04drwbgnTnN2mItc9tjS9ERokiK0LADWNTc09YeZX6i3b5YfPV9v4oQ
         TOqA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b5si6372055pgc.623.2017.11.09.08.19.17;
        Thu, 09 Nov 2017 08:19:28 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753373AbdKIQO2 (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 81 others); Thu, 9 Nov 2017 11:14:28 -0500
Received: from h2.hallyn.com ([78.46.35.8]:46712 "EHLO h2.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753320AbdKIQOY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Nov 2017 11:14:24 -0500
Received: by h2.hallyn.com (Postfix, from userid 1001)
        id 151C01204EC; Thu,  9 Nov 2017 10:14:22 -0600 (CST)
Date:   Thu, 9 Nov 2017 10:14:22 -0600
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Mahesh Bandewar
         =?utf-8?B?KOCkruCkueClh+CktiDgpKzgpILgpKHgpYfgpLXgpL4=?=
         =?utf-8?B?4KSwKQ==?= <maheshb@google.com>
Cc:     "Serge E. Hallyn" <serge@hallyn.com>,
        Christian Brauner <christian.brauner@canonical.com>,
        Boris Lukashev <blukashev@sempervictus.com>,
        Daniel Micay <danielmicay@gmail.com>,
        Mahesh Bandewar <mahesh@bandewar.net>,
        LKML <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>,
        Kernel-hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Eric Dumazet <edumazet@google.com>,
        David Miller <davem@davemloft.net>
Subject: Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control
 capabilities of some user namespaces
Message-ID: <20171109161422.GA25835@mail.hallyn.com>
References: <20171106221418.GA32543@mail.hallyn.com>
 <CAFUG7CcEy9a=RxBQZJR-C_2VuhZXrzJ_QxJnrSxdM=ox36DsXQ@mail.gmail.com>
 <20171106233913.GA1518@mail.hallyn.com>
 <CAFUG7CcW077LHcQEqk7qy7iVvmi-3J8psD1Kwj45XvHThiZC6w@mail.gmail.com>
 <20171107032802.GA6669@mail.hallyn.com>
 <CAF2d9jiwu3Ss7Dtem8qSptKgMc0Mc_o8MAAJkWM5CwJaFsbrcg@mail.gmail.com>
 <20171108190223.vdkyepcaegmub6le@gmail.com>
 <CAF2d9jjed4Q7QvCD9Kpaa7L-Ngg3XFbJvt0jNVUUwt=52wDjjw@mail.gmail.com>
 <20171109032134.GA15666@mail.hallyn.com>
 <CAF2d9jgs5MYn1dMT2mbhF=6UB2Hoo5kwmJhXuE6memBfWzkWXQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAF2d9jgs5MYn1dMT2mbhF=6UB2Hoo5kwmJhXuE6memBfWzkWXQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Mahesh Bandewar (महेश बंडेवार) (maheshb@google.com):
> Of course. Let's take an example of the CVE that I have mentioned in
> my cover-letter -
> CVE-2017-7308(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308).
> It's well documented and even has a
> exploit(https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308)
> c-program that can demonstrate how it can be used against non-patched
> kernel. There is very nice blog
> post(https://googleprojectzero.blogspot.kr/2017/05/exploiting-linux-kernel-via-packet.html)
> about this vulnerability by Andrey Konovalov.

Ok, thanks.  It's a good example because the fix for this CVE actually
came by itself (http://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/tree/debian.master/changelog).
Normally multiple CVEs come at the same time, which would make a
workaround for one now helpful.  This is a good counter-example.

I'm going to maintain that I really don't like this.  But it looks
useful, so ack on the concept, I'll just have to look again at the
code now.  Thanks for indulging me.

-serge

From 1583572207410577284@xxx Thu Nov 09 07:22:22 +0000 2017
X-GM-THRID: 1583003759650790753
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread