diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-01-09 22:16:02 +0000 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-01-09 22:16:02 +0000 |
commit | b907501806c020c9a430a2935677f5ed0db1f3b7 (patch) | |
tree | 59d2447f9da8ec749c49c00fe71c962a2c5348dd /sys-kernel/linux-sources-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | |
parent | 361e196143d4c25c79e7f25f3d88ce8a316929be (diff) |
sys-kernel/linux-{image,sources}-redcore-lts-legacy : move v5.10 to LTS legacy, version bump
Diffstat (limited to 'sys-kernel/linux-sources-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch')
-rw-r--r-- | sys-kernel/linux-sources-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/sys-kernel/linux-sources-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/sys-kernel/linux-sources-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch new file mode 100644 index 00000000..31a1d918 --- /dev/null +++ b/sys-kernel/linux-sources-redcore-lts-legacy/files/5.10-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -0,0 +1,154 @@ +From f615330c6169a5fe5750706f1db7cbdd520f9534 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: [PATCH 1/2] ZEN: Add sysctl and CONFIG to disallow unprivileged + CLONE_NEWUSER + +Our default behavior continues to match the vanilla kernel. +--- + include/linux/user_namespace.h | 4 ++++ + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 14 ++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 5 files changed, 53 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/init/Kconfig b/init/Kconfig +index 0872a5a2e759..a40d8afeb1bb 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1173,6 +1173,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index c675fdbd3dce..9266039e28e4 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -97,6 +97,10 @@ + #include <linux/scs.h> + #include <linux/io_uring.h> + ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif ++ + #include <asm/pgalloc.h> + #include <linux/uaccess.h> + #include <asm/mmu_context.h> +@@ -1863,6 +1867,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2928,6 +2936,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..a94828fb31c2 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include <linux/nmi.h> + #endif ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e703d5d9cbe8..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,13 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.31.1 + |