It's astounding that anyone thought it was a good idea to add enormous amounts of kernel attack surface via unprivileged user namespaces.
most namespace types are quite limited in terms of additional code you can reach using them
-
-
User namespaces alone allow pervasively bypassing old boundaries preventing code from being exposed for local privilege escalation.
-
The other namespaces weren't a significant security issue before user namespaces. Network namespaces become a problem due to USERNS.
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.