diff -Nur a/include/linux/user_namespace.h b/include/linux/user_namespace.h --- a/include/linux/user_namespace.h 2024-02-23 08:51:59.000000000 +0000 +++ b/include/linux/user_namespace.h 2024-02-24 11:24:37.945502209 +0000 @@ -156,6 +156,8 @@ #ifdef CONFIG_USER_NS +extern int unprivileged_userns_clone; + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) { if (ns) @@ -189,6 +191,8 @@ struct ns_common *ns_get_owner(struct ns_common *ns); #else +#define unprivileged_userns_clone 0 + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) { return &init_user_ns; diff -Nur a/init/Kconfig b/init/Kconfig --- a/init/Kconfig 2024-02-23 08:51:59.000000000 +0000 +++ b/init/Kconfig 2024-02-24 11:24:37.945502209 +0000 @@ -1235,6 +1235,22 @@ If unsure, say N. +config USER_NS_UNPRIVILEGED + bool "Allow unprivileged users to create namespaces" + default y + depends on USER_NS + help + When disabled, unprivileged users will not be able to create + new namespaces. Allowing users to create their own namespaces + has been part of several recent local privilege escalation + exploits, so if you need user namespaces but are + paranoid^Wsecurity-conscious you want to disable this. + + This setting can be overridden at runtime via the + kernel.unprivileged_userns_clone sysctl. + + If unsure, say Y. + config PID_NS bool "PID Namespaces" default y diff -Nur a/kernel/fork.c b/kernel/fork.c --- a/kernel/fork.c 2024-02-23 08:51:59.000000000 +0000 +++ b/kernel/fork.c 2024-02-24 11:24:37.946502209 +0000 @@ -100,6 +100,10 @@ #include #include +#ifdef CONFIG_USER_NS +#include +#endif + #include #include #include @@ -2265,6 +2269,10 @@ if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); + if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) + if (!capable(CAP_SYS_ADMIN)) + return ERR_PTR(-EPERM); + /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. @@ -3411,6 +3419,12 @@ if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; + if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { + err = -EPERM; + if (!capable(CAP_SYS_ADMIN)) + goto bad_unshare_out; + } + err = check_unshare_flags(unshare_flags); if (err) goto bad_unshare_out; diff -Nur a/kernel/sysctl.c b/kernel/sysctl.c --- a/kernel/sysctl.c 2024-02-23 08:51:59.000000000 +0000 +++ b/kernel/sysctl.c 2024-02-24 11:24:37.946502209 +0000 @@ -80,6 +80,9 @@ #ifdef CONFIG_RT_MUTEXES #include #endif +#ifdef CONFIG_USER_NS +#include +#endif /* shared constants to be used in various sysctls */ const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 }; @@ -1623,6 +1626,15 @@ .mode = 0644, .proc_handler = proc_dointvec, }, +#ifdef CONFIG_USER_NS + { + .procname = "unprivileged_userns_clone", + .data = &unprivileged_userns_clone, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, +#endif #ifdef CONFIG_PROC_SYSCTL { .procname = "tainted", diff -Nur a/kernel/user_namespace.c b/kernel/user_namespace.c --- a/kernel/user_namespace.c 2024-02-23 08:51:59.000000000 +0000 +++ b/kernel/user_namespace.c 2024-02-24 11:40:48.120538387 +0000 @@ -22,6 +22,13 @@ #include #include +/* sysctl */ +#ifdef CONFIG_USER_NS_UNPRIVILEGED +int unprivileged_userns_clone = 1; +#else +int unprivileged_userns_clone; +#endif + static struct kmem_cache *user_ns_cachep __ro_after_init; static DEFINE_MUTEX(userns_state_mutex);