It looks like this is in code responsible for mounting filesystems. The sheer size of the attack surface introduced by user namespaces is mind boggling, and I can’t say I’m surprised we’re still seeing LPEs in functionality that used to be root-only.
Incidentally, sandstorm is unaffected; we don’t let apps use user namespaces for exactly this reason.
It looks like this is in code responsible for mounting filesystems. The sheer size of the attack surface introduced by user namespaces is mind boggling, and I can’t say I’m surprised we’re still seeing LPEs in functionality that used to be root-only.
Incidentally, sandstorm is unaffected; we don’t let apps use user namespaces for exactly this reason.