diff options
Diffstat (limited to 'sys-kernel/linux-sources-redcore/files/6.7-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch')
| -rw-r--r-- | sys-kernel/linux-sources-redcore/files/6.7-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/sys-kernel/linux-sources-redcore/files/6.7-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/sys-kernel/linux-sources-redcore/files/6.7-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch new file mode 100644 index 00000000..09d6a2c0 --- /dev/null +++ b/sys-kernel/linux-sources-redcore/files/6.7-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -0,0 +1,131 @@ +diff -Nur a/include/linux/user_namespace.h b/include/linux/user_namespace.h +--- a/include/linux/user_namespace.h 2024-02-23 08:51:59.000000000 +0000 ++++ b/include/linux/user_namespace.h 2024-02-24 11:24:37.945502209 +0000 +@@ -156,6 +156,8 @@ + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -189,6 +191,8 @@ + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff -Nur a/init/Kconfig b/init/Kconfig +--- a/init/Kconfig 2024-02-23 08:51:59.000000000 +0000 ++++ b/init/Kconfig 2024-02-24 11:24:37.945502209 +0000 +@@ -1235,6 +1235,22 @@ + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff -Nur a/kernel/fork.c b/kernel/fork.c +--- a/kernel/fork.c 2024-02-23 08:51:59.000000000 +0000 ++++ b/kernel/fork.c 2024-02-24 11:24:37.946502209 +0000 +@@ -100,6 +100,10 @@ + #include <linux/user_events.h> + #include <linux/iommu.h> + ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif ++ + #include <asm/pgalloc.h> + #include <linux/uaccess.h> + #include <asm/mmu_context.h> +@@ -2265,6 +2269,10 @@ + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -3411,6 +3419,12 @@ + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff -Nur a/kernel/sysctl.c b/kernel/sysctl.c +--- a/kernel/sysctl.c 2024-02-23 08:51:59.000000000 +0000 ++++ b/kernel/sysctl.c 2024-02-24 11:24:37.946502209 +0000 +@@ -80,6 +80,9 @@ + #ifdef CONFIG_RT_MUTEXES + #include <linux/rtmutex.h> + #endif ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif + + /* shared constants to be used in various sysctls */ + const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 }; +@@ -1623,6 +1626,15 @@ + .mode = 0644, + .proc_handler = proc_dointvec, + }, ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff -Nur a/kernel/user_namespace.c b/kernel/user_namespace.c +--- a/kernel/user_namespace.c 2024-02-23 08:51:59.000000000 +0000 ++++ b/kernel/user_namespace.c 2024-02-24 11:40:48.120538387 +0000 +@@ -22,6 +22,13 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __ro_after_init; + static DEFINE_MUTEX(userns_state_mutex); + |