This workaround is nice, but it's still a kernel vuln. The /proc/scsi/scsi should require CAP_SYS_ADMIN!https://twitter.com/justincormack/status/926467677245378560 …
I think there is some granularity. For example, one could argue both ways for CAP_RAWIO checks in procfs
-
-
and the non-init_user_ns capability checks in /proc/$pid have to be that way for user namespaces to work properly
-
so yeah, it's a bit inconsistent, and there are opportunities for improvement, but IMO it's hard to figure out the balance for changes
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.