diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2023-01-07 11:02:32 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2023-01-07 11:02:32 +0000 |
| commit | 523cb58bc62eaa334e2b0b424637cbcb3b99deea (patch) | |
| tree | ade0062d4cbf57ed828af1e6320fe11dadfc7641 /sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | |
| parent | 0cd68e3c9f55242994f5d1e67574aebf79575d18 (diff) | |
sys-kernel : reSLOT the kernels, add v6.1
Diffstat (limited to 'sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch')
| -rw-r--r-- | sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | 154 |
1 files changed, 0 insertions, 154 deletions
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch deleted file mode 100644 index 31a1d918..00000000 --- a/sys-kernel/linux-image-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ /dev/null @@ -1,154 +0,0 @@ -From f615330c6169a5fe5750706f1db7cbdd520f9534 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Mon, 16 Sep 2019 04:53:20 +0200 -Subject: [PATCH 1/2] ZEN: Add sysctl and CONFIG to disallow unprivileged - CLONE_NEWUSER - -Our default behavior continues to match the vanilla kernel. ---- - include/linux/user_namespace.h | 4 ++++ - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 14 ++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 5 files changed, 53 insertions(+) - -diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h -index 6ef1c7109fc4..2140091b0b8d 100644 ---- a/include/linux/user_namespace.h -+++ b/include/linux/user_namespace.h -@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); - - #ifdef CONFIG_USER_NS - -+extern int unprivileged_userns_clone; -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - if (ns) -@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); - struct ns_common *ns_get_owner(struct ns_common *ns); - #else - -+#define unprivileged_userns_clone 0 -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - return &init_user_ns; -diff --git a/init/Kconfig b/init/Kconfig -index 0872a5a2e759..a40d8afeb1bb 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1173,6 +1173,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index c675fdbd3dce..9266039e28e4 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -97,6 +97,10 @@ - #include <linux/scs.h> - #include <linux/io_uring.h> - -+#ifdef CONFIG_USER_NS -+#include <linux/user_namespace.h> -+#endif -+ - #include <asm/pgalloc.h> - #include <linux/uaccess.h> - #include <asm/mmu_context.h> -@@ -1863,6 +1867,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2928,6 +2936,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index afad085960b8..a94828fb31c2 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -103,6 +103,9 @@ - #ifdef CONFIG_LOCKUP_DETECTOR - #include <linux/nmi.h> - #endif -+#ifdef CONFIG_USER_NS -+#include <linux/user_namespace.h> -+#endif - - #if defined(CONFIG_SYSCTL) - -@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index e703d5d9cbe8..5758274feaee 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -21,6 +21,13 @@ - #include <linux/bsearch.h> - #include <linux/sort.h> - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -2.31.1 - |