diff options
| author | David Runge <dave@sleepmap.de> | 2019-07-23 09:19:39 +0200 |
|---|---|---|
| committer | David Runge <dave@sleepmap.de> | 2019-07-23 09:19:39 +0200 |
| commit | d449779b9fb387b502d1b77c63c162fa7be5fc65 (patch) | |
| tree | 8351f9295846c0e7c2446062a1d422a3c7153b91 /0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | |
| parent | af11d2151ee2bae2f1155d7b21182968039f06e0 (diff) | |
PKGBUILD: Upgrading to 4.19.59_rt23. Including all current linux-lts patches and removing (now included bcache related patch.
Diffstat (limited to '0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch')
| -rw-r--r-- | 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 0000000..7fa619f --- /dev/null +++ b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,57 @@ +From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Thu, 7 Dec 2017 13:50:48 +0100 +Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone + +This way our default behavior continues to match the vanilla kernel. +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4592bf7997c0..f3df02990aff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1004,6 +1004,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 6b9dbc257e34..107b17f0d528 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -27,7 +27,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.22.0 + |