[arch-commits] Commit in linux-lts/trunk (4 files)
Jan Steffens
heftig at archlinux.org
Mon Jun 24 11:15:30 UTC 2019
Date: Monday, June 24, 2019 @ 11:15:30
Author: heftig
Revision: 356834
4.19.55-2
Added:
linux-lts/trunk/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
Modified:
linux-lts/trunk/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
linux-lts/trunk/PKGBUILD
linux-lts/trunk/config
-----------------------------------------------------------------+
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 29 ++---
0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 ++++++++++
PKGBUILD | 13 +-
config | 7 -
4 files changed, 83 insertions(+), 23 deletions(-)
Modified: 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
===================================================================
--- 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 2019-06-24 10:00:13 UTC (rev 356833)
+++ 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 2019-06-24 11:15:30 UTC (rev 356834)
@@ -1,8 +1,7 @@
-From 4e54373158caa50df5402fdd3db1794c5394026b Mon Sep 17 00:00:00 2001
-Message-Id: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens at gmail.com>
+From 96161597803746c97c43e0703ca2a059bdd7a8f7 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at canonical.com>
Date: Fri, 31 May 2013 19:12:12 +0100
-Subject: [PATCH 1/4] add sysctl to disallow unprivileged CLONE_NEWUSER by
+Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by
default
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
@@ -15,10 +14,10 @@
3 files changed, 30 insertions(+)
diff --git a/kernel/fork.c b/kernel/fork.c
-index 500ce64517d9..35f5860958b4 100644
+index 2628f3773ca8..a2da35b446a6 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
-@@ -102,6 +102,11 @@
+@@ -103,6 +103,11 @@
#define CREATE_TRACE_POINTS
#include <trace/events/task.h>
@@ -30,7 +29,7 @@
/*
* Minimum number of threads to boot the kernel
-@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -1719,6 +1724,10 @@ static __latent_entropy struct task_struct *copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
@@ -41,7 +40,7 @@
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
-@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -2554,6 +2563,12 @@ int ksys_unshare(unsigned long unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
@@ -55,10 +54,10 @@
if (err)
goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 56aca862c4f5..e8402ba393c1 100644
+index 387efbaf464a..b393beb76f34 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
-@@ -105,6 +105,9 @@ extern int core_uses_pid;
+@@ -108,6 +108,9 @@ extern int core_uses_pid;
extern char core_pattern[];
extern unsigned int core_pipe_limit;
#endif
@@ -68,7 +67,7 @@
extern int pid_max;
extern int pid_max_min, pid_max_max;
extern int percpu_pagelist_fraction;
-@@ -513,6 +516,15 @@ static struct ctl_table kern_table[] = {
+@@ -535,6 +538,15 @@ static struct ctl_table kern_table[] = {
.proc_handler = proc_dointvec,
},
#endif
@@ -85,12 +84,12 @@
{
.procname = "tainted",
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index c490f1e4313b..dd03bd39d7bf 100644
+index 923414a246e9..6b9dbc257e34 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
-@@ -24,6 +24,9 @@
- #include <linux/projid.h>
- #include <linux/fs_struct.h>
+@@ -26,6 +26,9 @@
+ #include <linux/bsearch.h>
+ #include <linux/sort.h>
+/* sysctl */
+int unprivileged_userns_clone;
@@ -99,5 +98,5 @@
static DEFINE_MUTEX(userns_state_mutex);
--
-2.15.1
+2.22.0
Added: 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
===================================================================
--- 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch (rev 0)
+++ 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch 2019-06-24 11:15:30 UTC (rev 356834)
@@ -0,0 +1,57 @@
+From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens at gmail.com>
+Date: Thu, 7 Dec 2017 13:50:48 +0100
+Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone
+
+This way our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig | 16 ++++++++++++++++
+ kernel/user_namespace.c | 4 ++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 4592bf7997c0..f3df02990aff 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1004,6 +1004,22 @@ config USER_NS
+
+ If unsure, say N.
+
++config USER_NS_UNPRIVILEGED
++ bool "Allow unprivileged users to create namespaces"
++ default y
++ depends on USER_NS
++ help
++ When disabled, unprivileged users will not be able to create
++ new namespaces. Allowing users to create their own namespaces
++ has been part of several recent local privilege escalation
++ exploits, so if you need user namespaces but are
++ paranoid^Wsecurity-conscious you want to disable this.
++
++ This setting can be overridden at runtime via the
++ kernel.unprivileged_userns_clone sysctl.
++
++ If unsure, say Y.
++
+ config PID_NS
+ bool "PID Namespaces"
+ default y
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 6b9dbc257e34..107b17f0d528 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -27,7 +27,11 @@
+ #include <linux/sort.h>
+
+ /* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
+ int unprivileged_userns_clone;
++#endif
+
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+--
+2.22.0
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2019-06-24 10:00:13 UTC (rev 356833)
+++ PKGBUILD 2019-06-24 11:15:30 UTC (rev 356834)
@@ -4,7 +4,7 @@
#pkgbase=linux-lts-custom
_srcname=linux-4.19
pkgver=4.19.55
-pkgrel=1
+pkgrel=2
arch=('x86_64')
url="https://www.kernel.org/"
license=('GPL2')
@@ -16,7 +16,8 @@
'60-linux.hook' # pacman hook for depmod
'90-linux.hook' # pacman hook for initramfs regeneration
'linux-lts.preset' # standard config files for mkinitcpio ramdisk
- 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch)
+ 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+ 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch)
validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds <torvalds at linux-foundation.org>
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) <greg at kroah.com>
)
@@ -24,11 +25,12 @@
sha256sums=('0c68f5655528aed4f99dae71a5b259edc93239fa899e2df79c055275c21749a1'
'SKIP'
'6b572393d79379cc7d7e9bd55170b2d4fc76745ad9f15c0b893a6749167f63f5'
- 'bec3d57b04bcc04be141e60e07fceae830c204de453ad18d054bbb5bc911f7e7'
+ 'af7e7687a91b210e803697ef9509faaf3b7955a6094350212944a598b29f2c58'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
- '36b1118c8dedadc4851150ddd4eb07b1c58ac5bbf3022cc2501a27c2b476da98')
+ 'bc3dab5594735fb56bdb39c1630a470fd2e65fcf0d81a5db31bab3b91944225d'
+ '67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d')
_kernelname=${pkgbase#linux}
@@ -44,8 +46,9 @@
# add latest fixes from stable queue, if needed
# http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
- # disable USER_NS for non-root users by default
+ # allow disabling USER_NS via sysctl
patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+ patch -Np1 -i ../0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
cp -Tf ../config .config
Modified: config
===================================================================
--- config 2019-06-24 10:00:13 UTC (rev 356833)
+++ config 2019-06-24 11:15:30 UTC (rev 356834)
@@ -1,13 +1,13 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.50-1 Kernel Configuration
+# Linux/x86 4.19.55-2 Kernel Configuration
#
#
-# Compiler: gcc (GCC) 8.3.0
+# Compiler: gcc (GCC) 9.1.0
#
CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=80300
+CONFIG_GCC_VERSION=90100
CONFIG_CLANG_VERSION=0
CONFIG_CC_HAS_ASM_GOTO=y
CONFIG_IRQ_WORK=y
@@ -159,6 +159,7 @@
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
+CONFIG_USER_NS_UNPRIVILEGED=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
# CONFIG_CHECKPOINT_RESTORE is not set
More information about the arch-commits
mailing list