[arch-commits] Commit in linux-grsec/trunk (4 files)

Daniel Micay thestinger at archlinux.org
Wed Jul 30 04:38:59 UTC 2014 

    Date: Wednesday, July 30, 2014 @ 06:38:58
  Author: thestinger
Revision: 116574

upgpkg: linux-grsec 3.15.7.201407282112-2

enable CONFIG_USER_NS, but revert the commit allowing unprivileged user
namespaces to avoid adding attack surface

Added:
  linux-grsec/trunk/Revert-userns-Allow-unprivileged-users-to-create-use.patch
Modified:
  linux-grsec/trunk/PKGBUILD
  linux-grsec/trunk/config
  linux-grsec/trunk/config.x86_64

------------------------------------------------------------+
 PKGBUILD                                                   |   11 ++
 Revert-userns-Allow-unprivileged-users-to-create-use.patch |   41 +++++++++++
 config                                                     |    2 
 config.x86_64                                              |    2 
 4 files changed, 51 insertions(+), 5 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2014-07-30 04:29:58 UTC (rev 116573)
+++ PKGBUILD	2014-07-30 04:38:58 UTC (rev 116574)
@@ -11,7 +11,7 @@
 _timestamp=201407282112
 _grsec_patch="grsecurity-$_grsecver-$_pkgver-$_timestamp.patch"
 pkgver=$_pkgver.$_timestamp
-pkgrel=1
+pkgrel=2
 arch=('i686' 'x86_64')
 url=https://grsecurity.net/
 license=('GPL2')
@@ -26,6 +26,7 @@
         # standard config files for mkinitcpio ramdisk
         'linux.preset'
         'change-default-console-loglevel.patch'
+        Revert-userns-Allow-unprivileged-users-to-create-use.patch
         sysctl.conf
         )
 sha256sums=('c3927e87be4040fa8aca1b58663dc0776aaf00485604ff88a623be2f3fb07794'
@@ -32,10 +33,11 @@
             '25f0767908e736a2388fe36810712ee3faa6c86c5255516496d5942ba1ffb451'
             '6f9c45339b6801e7021505c569c47b480fcde1f36aba34b89b3615fec0a59532'
             'SKIP'
-            'e453e2c7f5d3f52032b310a5475932378aea378e9291f84fe0258d64da2a1a1b'
-            'f77adc49d47a754fbe0fcf9384642f436e569d59aa26c1cfbb85cce0bb8361ae'
+            '9ca518a0a2b9c8a44c7200d89d122d0114566f8f8445beedcc70885af3d0a704'
+            '96f9c0ab9dc78d304d3b208b37e99a71562c818aedf07e22b991ac443b422d45'
             'ca7e718375b3790888756cc0a64a7500cd57dddb9bf7e10a0df22c860d91f74d'
             'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
+            '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754'
             'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31')
 
 _kernelname=${pkgbase#linux}
@@ -54,6 +56,9 @@
   # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227)
   patch -p1 -i "${srcdir}/change-default-console-loglevel.patch"
 
+  # Forbid unprivileged user namespaces
+  patch -p1 -i "$srcdir/Revert-userns-Allow-unprivileged-users-to-create-use.patch"
+
   # Add grsecurity patches
   patch -Np1 -i "$srcdir/$_grsec_patch"
   rm localversion-grsec

Added: Revert-userns-Allow-unprivileged-users-to-create-use.patch
===================================================================
--- Revert-userns-Allow-unprivileged-users-to-create-use.patch	                        (rev 0)
+++ Revert-userns-Allow-unprivileged-users-to-create-use.patch	2014-07-30 04:38:58 UTC (rev 116574)
@@ -0,0 +1,41 @@
+From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at fedoraproject.org>
+Date: Wed, 13 Nov 2013 10:21:18 -0500
+Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
+ namespaces."
+
+This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
+
+Conflicts:
+	kernel/fork.c
+---
+ kernel/fork.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index f6d11fc..e04c9a7 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
+ 	long nr;
+ 
+ 	/*
++	 * Do some preliminary argument and permissions checking before we
++	 * actually start allocating stuff
++	 */
++	if (clone_flags & CLONE_NEWUSER) {
++		/* hopefully this check will go away when userns support is
++		 * complete
++		 */
++		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
++				!capable(CAP_SETGID))
++			return -EPERM;
++	}
++
++	/*
+ 	 * Determine whether and which event to report to ptracer.  When
+ 	 * called from kernel_thread or CLONE_UNTRACED is explicitly
+ 	 * requested, no event is reported; otherwise, report if the event
+-- 
+1.8.3.1
+

Modified: config
===================================================================
--- config	2014-07-30 04:29:58 UTC (rev 116573)
+++ config	2014-07-30 04:38:58 UTC (rev 116574)
@@ -157,7 +157,7 @@
 CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 CONFIG_SCHED_AUTOGROUP=y

Modified: config.x86_64
===================================================================
--- config.x86_64	2014-07-30 04:29:58 UTC (rev 116573)
+++ config.x86_64	2014-07-30 04:38:58 UTC (rev 116574)
@@ -164,7 +164,7 @@
 CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 CONFIG_SCHED_AUTOGROUP=y

More information about the arch-commits mailing list