== We've permanently disabled overlayfs on our servers

[[I tweeted https://twitter.com/thatcks/status/701878573381111808]]:

> Oh look, yet another Linux kernel local exploit in the overlayfs
> module. Time to permanently blacklist it on all of our machines.

Today's bugs are [[CVE-2016-1576
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1576.html]]
and [[CVE-2016-1575
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1575.html]]
([[via http://www.ubuntu.com/usn/usn-2907-1/]]).
There have been [[others http://seclists.org/oss-sec/2015/q2/717]]
[[before https://security-tracker.debian.org/tracker/CVE-2015-8660]],
and probably more that my casual Internet searches aren't turning
up.

Based on my experiences so far, the two most common ingredients in
exploitable kernel security issues we've been seeing Ubuntu
announcements for are overlayfs and user namespaces. As far as I
know, we can't do anything to turn off user namespaces without
rebuilding and maintaining our own kernel packages, but overlayfs
is (just) a loadable kernel module. A kernel module that we don't
use.

So now we have an _/etc/modprobe.d/cslab-overlayfs.conf_ file on
all of our servers that says:

.pn prewrap on
>  # Permanently stop overlayfs from being loaded
>  # because it keeps having security issues and
>  # we don't use it.
>  blacklist overlayfs
>  install overlayfs /bin/false

Pretty soon this will be in our install framework, which means that
future machines will probably be like this for several Ubuntu LTS
versions to come. I feel some vague regret, but not very much.
I'm done putting up with the whole 'surely we'll get this right
someday' approach to making these subsystems not create security
issues.

By the way, I don't find issues in either subsystem to be particularly
surprising given what they do. User namespaces especially are a
recipe for trouble in practice, because they let you create
environments that break long standing Unix security assumptions.
Sure, they are supposed to only do this in a way that is still
secure, but in practice, no, things keep slipping through the cracks.
In a sane world it would be possible to disable user namespaces at
runtime on distribution kernels. Sadly we're not in that world.