On Tue, Jul 19, 2022 at 10:42 PM Karl MacMillan karl@bigbadwolfsecurity.com wrote:

On Thu, Jul 7, 2022 at 6:34 PM Frederick Lawler fred@cloudflare.com wrote:

...

Unprivileged user namespace creation is an intended feature to enable sandboxing, however this feature is often used to as an initial step to perform a privilege escalation attack.

This patch implements a new namespace { userns_create } access control permission to restrict which domains allow or deny user namespace creation. This is necessary for system administrators to quickly protect their systems while waiting for vulnerability patches to be applied.

This permission can be used in the following way:

    allow domA_t domB_t : namespace { userns_create };

Isn’t this actually domA_t domA_t : namespace . . .

I got confused reading this initially trying to figure out what the second domain type would be, but looking at the code cleared that up.

Ah, good catch, thanks Karl!