[arch-commits] Commit in linux-lts/trunk (4 files)

Jan Steffens heftig at archlinux.org
Mon Jun 24 11:15:30 UTC 2019 

    Date: Monday, June 24, 2019 @ 11:15:30
  Author: heftig
Revision: 356834

4.19.55-2

Added:
  linux-lts/trunk/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
Modified:
  linux-lts/trunk/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
  linux-lts/trunk/PKGBUILD
  linux-lts/trunk/config

-----------------------------------------------------------------+
 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch |   29 ++---
 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch         |   57 ++++++++++
 PKGBUILD                                                        |   13 +-
 config                                                          |    7 -
 4 files changed, 83 insertions(+), 23 deletions(-)

Modified: 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
===================================================================
--- 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch	2019-06-24 10:00:13 UTC (rev 356833)
+++ 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch	2019-06-24 11:15:30 UTC (rev 356834)
@@ -1,8 +1,7 @@
-From 4e54373158caa50df5402fdd3db1794c5394026b Mon Sep 17 00:00:00 2001
-Message-Id: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens at gmail.com>
+From 96161597803746c97c43e0703ca2a059bdd7a8f7 Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge.hallyn at canonical.com>
 Date: Fri, 31 May 2013 19:12:12 +0100
-Subject: [PATCH 1/4] add sysctl to disallow unprivileged CLONE_NEWUSER by
+Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by
  default
 
 Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
@@ -15,10 +14,10 @@
  3 files changed, 30 insertions(+)
 
 diff --git a/kernel/fork.c b/kernel/fork.c
-index 500ce64517d9..35f5860958b4 100644
+index 2628f3773ca8..a2da35b446a6 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
-@@ -102,6 +102,11 @@
+@@ -103,6 +103,11 @@
  
  #define CREATE_TRACE_POINTS
  #include <trace/events/task.h>
@@ -30,7 +29,7 @@
  
  /*
   * Minimum number of threads to boot the kernel
-@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -1719,6 +1724,10 @@ static __latent_entropy struct task_struct *copy_process(
  	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
  		return ERR_PTR(-EINVAL);
  
@@ -41,7 +40,7 @@
  	/*
  	 * Thread groups must share signals as well, and detached threads
  	 * can only be started up within the thread group.
-@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -2554,6 +2563,12 @@ int ksys_unshare(unsigned long unshare_flags)
  	if (unshare_flags & CLONE_NEWNS)
  		unshare_flags |= CLONE_FS;
  
@@ -55,10 +54,10 @@
  	if (err)
  		goto bad_unshare_out;
 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 56aca862c4f5..e8402ba393c1 100644
+index 387efbaf464a..b393beb76f34 100644
 --- a/kernel/sysctl.c
 +++ b/kernel/sysctl.c
-@@ -105,6 +105,9 @@ extern int core_uses_pid;
+@@ -108,6 +108,9 @@ extern int core_uses_pid;
  extern char core_pattern[];
  extern unsigned int core_pipe_limit;
  #endif
@@ -68,7 +67,7 @@
  extern int pid_max;
  extern int pid_max_min, pid_max_max;
  extern int percpu_pagelist_fraction;
-@@ -513,6 +516,15 @@ static struct ctl_table kern_table[] = {
+@@ -535,6 +538,15 @@ static struct ctl_table kern_table[] = {
  		.proc_handler	= proc_dointvec,
  	},
  #endif
@@ -85,12 +84,12 @@
  	{
  		.procname	= "tainted",
 diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index c490f1e4313b..dd03bd39d7bf 100644
+index 923414a246e9..6b9dbc257e34 100644
 --- a/kernel/user_namespace.c
 +++ b/kernel/user_namespace.c
-@@ -24,6 +24,9 @@
- #include <linux/projid.h>
- #include <linux/fs_struct.h>
+@@ -26,6 +26,9 @@
+ #include <linux/bsearch.h>
+ #include <linux/sort.h>
  
 +/* sysctl */
 +int unprivileged_userns_clone;
@@ -99,5 +98,5 @@
  static DEFINE_MUTEX(userns_state_mutex);
  
 -- 
-2.15.1
+2.22.0
 

Added: 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
===================================================================
--- 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch	                        (rev 0)
+++ 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch	2019-06-24 11:15:30 UTC (rev 356834)
@@ -0,0 +1,57 @@
+From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens at gmail.com>
+Date: Thu, 7 Dec 2017 13:50:48 +0100
+Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone
+
+This way our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig            | 16 ++++++++++++++++
+ kernel/user_namespace.c |  4 ++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 4592bf7997c0..f3df02990aff 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1004,6 +1004,22 @@ config USER_NS
+ 
+ 	  If unsure, say N.
+ 
++config USER_NS_UNPRIVILEGED
++	bool "Allow unprivileged users to create namespaces"
++	default y
++	depends on USER_NS
++	help
++	  When disabled, unprivileged users will not be able to create
++	  new namespaces. Allowing users to create their own namespaces
++	  has been part of several recent local privilege escalation
++	  exploits, so if you need user namespaces but are
++	  paranoid^Wsecurity-conscious you want to disable this.
++
++	  This setting can be overridden at runtime via the
++	  kernel.unprivileged_userns_clone sysctl.
++
++	  If unsure, say Y.
++
+ config PID_NS
+ 	bool "PID Namespaces"
+ 	default y
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 6b9dbc257e34..107b17f0d528 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -27,7 +27,11 @@
+ #include <linux/sort.h>
+ 
+ /* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
+ int unprivileged_userns_clone;
++#endif
+ 
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+-- 
+2.22.0
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2019-06-24 10:00:13 UTC (rev 356833)
+++ PKGBUILD	2019-06-24 11:15:30 UTC (rev 356834)
@@ -4,7 +4,7 @@
 #pkgbase=linux-lts-custom
 _srcname=linux-4.19
 pkgver=4.19.55
-pkgrel=1
+pkgrel=2
 arch=('x86_64')
 url="https://www.kernel.org/"
 license=('GPL2')
@@ -16,7 +16,8 @@
         '60-linux.hook'  # pacman hook for depmod
         '90-linux.hook'  # pacman hook for initramfs regeneration
         'linux-lts.preset'   # standard config files for mkinitcpio ramdisk
-        0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch)
+        0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+        0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch)
 validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds <torvalds at linux-foundation.org>
               '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) <greg at kroah.com>
              )
@@ -24,11 +25,12 @@
 sha256sums=('0c68f5655528aed4f99dae71a5b259edc93239fa899e2df79c055275c21749a1'
             'SKIP'
             '6b572393d79379cc7d7e9bd55170b2d4fc76745ad9f15c0b893a6749167f63f5'
-            'bec3d57b04bcc04be141e60e07fceae830c204de453ad18d054bbb5bc911f7e7'
+            'af7e7687a91b210e803697ef9509faaf3b7955a6094350212944a598b29f2c58'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
-            '36b1118c8dedadc4851150ddd4eb07b1c58ac5bbf3022cc2501a27c2b476da98')
+            'bc3dab5594735fb56bdb39c1630a470fd2e65fcf0d81a5db31bab3b91944225d'
+            '67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d')
 
 _kernelname=${pkgbase#linux}
 
@@ -44,8 +46,9 @@
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
 
-  # disable USER_NS for non-root users by default
+  # allow disabling USER_NS via sysctl
   patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+  patch -Np1 -i ../0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
 
   cp -Tf ../config .config
 

Modified: config
===================================================================
--- config	2019-06-24 10:00:13 UTC (rev 356833)
+++ config	2019-06-24 11:15:30 UTC (rev 356834)
@@ -1,13 +1,13 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.50-1 Kernel Configuration
+# Linux/x86 4.19.55-2 Kernel Configuration
 #
 
 #
-# Compiler: gcc (GCC) 8.3.0
+# Compiler: gcc (GCC) 9.1.0
 #
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=80300
+CONFIG_GCC_VERSION=90100
 CONFIG_CLANG_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO=y
 CONFIG_IRQ_WORK=y
@@ -159,6 +159,7 @@
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 CONFIG_USER_NS=y
+CONFIG_USER_NS_UNPRIVILEGED=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 # CONFIG_CHECKPOINT_RESTORE is not set

More information about the arch-commits mailing list