|
|
|
|
|
|
by klooney
1141 days ago
|
|
|
From 2016- https://lwn.net/Articles/673597/ Andy Lutomirski described some concerns of his own: > I consider the ability to use CLONE_NEWUSER to acquire CAP_NET_ADMIN over /any/ network namespace and to thus access the network configuration API to be a huge risk. For example, unprivileged users can program iptables. I'll eat my hat if there are no privilege escalations in there. |
|
|