summaryrefslogtreecommitdiff
path: root/sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2023-01-07 11:02:32 +0000
committerV3n3RiX <venerix@koprulu.sector>2023-01-07 11:02:32 +0000
commit523cb58bc62eaa334e2b0b424637cbcb3b99deea (patch)
treeade0062d4cbf57ed828af1e6320fe11dadfc7641 /sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
parent0cd68e3c9f55242994f5d1e67574aebf79575d18 (diff)
sys-kernel : reSLOT the kernels, add v6.1
Diffstat (limited to 'sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch')
-rw-r--r--sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch154
1 files changed, 0 insertions, 154 deletions
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
deleted file mode 100644
index 31a1d918..00000000
--- a/sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From f615330c6169a5fe5750706f1db7cbdd520f9534 Mon Sep 17 00:00:00 2001
-From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
-Date: Mon, 16 Sep 2019 04:53:20 +0200
-Subject: [PATCH 1/2] ZEN: Add sysctl and CONFIG to disallow unprivileged
- CLONE_NEWUSER
-
-Our default behavior continues to match the vanilla kernel.
----
- include/linux/user_namespace.h | 4 ++++
- init/Kconfig | 16 ++++++++++++++++
- kernel/fork.c | 14 ++++++++++++++
- kernel/sysctl.c | 12 ++++++++++++
- kernel/user_namespace.c | 7 +++++++
- 5 files changed, 53 insertions(+)
-
-diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
-index 6ef1c7109fc4..2140091b0b8d 100644
---- a/include/linux/user_namespace.h
-+++ b/include/linux/user_namespace.h
-@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
-
- #ifdef CONFIG_USER_NS
-
-+extern int unprivileged_userns_clone;
-+
- static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
- {
- if (ns)
-@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns);
- struct ns_common *ns_get_owner(struct ns_common *ns);
- #else
-
-+#define unprivileged_userns_clone 0
-+
- static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
- {
- return &init_user_ns;
-diff --git a/init/Kconfig b/init/Kconfig
-index 0872a5a2e759..a40d8afeb1bb 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -1173,6 +1173,22 @@ config USER_NS
-
- If unsure, say N.
-
-+config USER_NS_UNPRIVILEGED
-+ bool "Allow unprivileged users to create namespaces"
-+ default y
-+ depends on USER_NS
-+ help
-+ When disabled, unprivileged users will not be able to create
-+ new namespaces. Allowing users to create their own namespaces
-+ has been part of several recent local privilege escalation
-+ exploits, so if you need user namespaces but are
-+ paranoid^Wsecurity-conscious you want to disable this.
-+
-+ This setting can be overridden at runtime via the
-+ kernel.unprivileged_userns_clone sysctl.
-+
-+ If unsure, say Y.
-+
- config PID_NS
- bool "PID Namespaces"
- default y
-diff --git a/kernel/fork.c b/kernel/fork.c
-index c675fdbd3dce..9266039e28e4 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -97,6 +97,10 @@
- #include <linux/scs.h>
- #include <linux/io_uring.h>
-
-+#ifdef CONFIG_USER_NS
-+#include <linux/user_namespace.h>
-+#endif
-+
- #include <asm/pgalloc.h>
- #include <linux/uaccess.h>
- #include <asm/mmu_context.h>
-@@ -1863,6 +1867,10 @@ static __latent_entropy struct task_struct *copy_process(
- if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
- return ERR_PTR(-EINVAL);
-
-+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
-+ if (!capable(CAP_SYS_ADMIN))
-+ return ERR_PTR(-EPERM);
-+
- /*
- * Thread groups must share signals as well, and detached threads
- * can only be started up within the thread group.
-@@ -2928,6 +2936,12 @@ int ksys_unshare(unsigned long unshare_flags)
- if (unshare_flags & CLONE_NEWNS)
- unshare_flags |= CLONE_FS;
-
-+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
-+ err = -EPERM;
-+ if (!capable(CAP_SYS_ADMIN))
-+ goto bad_unshare_out;
-+ }
-+
- err = check_unshare_flags(unshare_flags);
- if (err)
- goto bad_unshare_out;
-diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index afad085960b8..a94828fb31c2 100644
---- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -103,6 +103,9 @@
- #ifdef CONFIG_LOCKUP_DETECTOR
- #include <linux/nmi.h>
- #endif
-+#ifdef CONFIG_USER_NS
-+#include <linux/user_namespace.h>
-+#endif
-
- #if defined(CONFIG_SYSCTL)
-
-@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = {
- .proc_handler = proc_dointvec,
- },
- #endif
-+#ifdef CONFIG_USER_NS
-+ {
-+ .procname = "unprivileged_userns_clone",
-+ .data = &unprivileged_userns_clone,
-+ .maxlen = sizeof(int),
-+ .mode = 0644,
-+ .proc_handler = proc_dointvec,
-+ },
-+#endif
- #ifdef CONFIG_PROC_SYSCTL
- {
- .procname = "tainted",
-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index e703d5d9cbe8..5758274feaee 100644
---- a/kernel/user_namespace.c
-+++ b/kernel/user_namespace.c
-@@ -21,6 +21,13 @@
- #include <linux/bsearch.h>
- #include <linux/sort.h>
-
-+/* sysctl */
-+#ifdef CONFIG_USER_NS_UNPRIVILEGED
-+int unprivileged_userns_clone = 1;
-+#else
-+int unprivileged_userns_clone;
-+#endif
-+
- static struct kmem_cache *user_ns_cachep __read_mostly;
- static DEFINE_MUTEX(userns_state_mutex);
-
---
-2.31.1
-