diff options
-rw-r--r-- | .SRCINFO | 22 | ||||
-rw-r--r-- | 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch (renamed from 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch) | 69 | ||||
-rw-r--r-- | 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 | ||||
-rw-r--r-- | PKGBUILD | 64 | ||||
-rw-r--r-- | config | 9 |
5 files changed, 94 insertions, 127 deletions
@@ -1,5 +1,5 @@ pkgbase = linux-rt-lts - pkgver = 4.19.72.26 + pkgver = 4.19.82.30 pkgrel = 1 url = https://wiki.linuxfoundation.org/realtime/start arch = x86_64 @@ -15,26 +15,24 @@ pkgbase = linux-rt-lts makedepends = python-sphinx_rtd_theme makedepends = xmlto options = !strip - source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.72.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.72.tar.sign - source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.72-rt26.patch.xz - source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.72-rt26.patch.sign + source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.82.tar.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.82.tar.sign + source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.82-rt30.patch.xz + source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.82-rt30.patch.sign source = config - source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - source = 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch + source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 8218F88849AAC522E94CF470A5E9288C4FA415FA validpgpkeys = 64254695FFF0AA4466CC19E67B96E8162A8CF5D1 validpgpkeys = 5ED9A48FC54C0A22D1D0804CEBC26CDB5A56DE73 validpgpkeys = E644E2F1D45FA0B2EAA02F33109F098506FF0B14 - sha256sums = f9fcb6b3bd29115ac55fc154e300c3dce2044502732f6842ad6c25e6f9f51f6d + sha256sums = 58d96d6c2c5ee8288fe9714891e4037a18f457b008e369e33fc744afc2cb595d sha256sums = SKIP - sha256sums = 7e360014f510daf6ab886f272531f98d9ae5cb5a55973a9b636346ac45f841f6 + sha256sums = c299a487a4a0446019b15241e132f6d570910eb18a968309f57b9bc8e44fc23a sha256sums = SKIP - sha256sums = e5a6ac3346c359353b3a7491bb77637870328a4bf3f3d57bf434a29b72632600 - sha256sums = 75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc - sha256sums = 67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d + sha256sums = ab71979485ff9771d264c692a1215b5657455e844a16e00656cba0c810a99a81 + sha256sums = a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2 pkgname = linux-rt-lts pkgdesc = The Linux-rt-lts kernel and modules diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch index e57df3b..f93022e 100644 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -1,22 +1,49 @@ -From 1a47eb71988a919e811ce558f6f58855155c6218 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn <serge.hallyn@canonical.com> -Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default +From 6136ffb3d88e9f044260f8288d2d0a1edd64379e Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged + CLONE_NEWUSER -Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> -[bwh: Remove unneeded binary sysctl bits] -Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Our default behavior continues to match the vanilla kernel. --- + init/Kconfig | 16 ++++++++++++++++ kernel/fork.c | 15 +++++++++++++++ kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 3 +++ - 3 files changed, 30 insertions(+) + kernel/user_namespace.c | 7 +++++++ + 4 files changed, 50 insertions(+) +diff --git a/init/Kconfig b/init/Kconfig +index bd7d650d4a99..658f9c052151 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1091,6 +1091,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y diff --git a/kernel/fork.c b/kernel/fork.c -index 8ed48ca2cc43..e02823819ab7 100644 +index 541fd805fb88..ffd57c812153 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -103,6 +103,11 @@ +@@ -106,6 +106,11 @@ #define CREATE_TRACE_POINTS #include <trace/events/task.h> @@ -28,7 +55,7 @@ index 8ed48ca2cc43..e02823819ab7 100644 /* * Minimum number of threads to boot the kernel -@@ -1625,6 +1630,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1788,6 +1793,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -39,7 +66,7 @@ index 8ed48ca2cc43..e02823819ab7 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2421,6 +2430,12 @@ int ksys_unshare(unsigned long unshare_flags) +@@ -2819,6 +2828,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -53,10 +80,10 @@ index 8ed48ca2cc43..e02823819ab7 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 2d9837c0aff4..eb5236c069fc 100644 +index 078950d9605b..baead3605bbe 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c -@@ -105,6 +105,9 @@ extern int core_uses_pid; +@@ -110,6 +110,9 @@ extern int core_uses_pid; extern char core_pattern[]; extern unsigned int core_pipe_limit; #endif @@ -66,7 +93,7 @@ index 2d9837c0aff4..eb5236c069fc 100644 extern int pid_max; extern int pid_max_min, pid_max_max; extern int percpu_pagelist_fraction; -@@ -519,6 +522,15 @@ static struct ctl_table kern_table[] = { +@@ -545,6 +548,15 @@ static struct ctl_table kern_table[] = { .proc_handler = proc_dointvec, }, #endif @@ -83,19 +110,23 @@ index 2d9837c0aff4..eb5236c069fc 100644 { .procname = "tainted", diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index e5222b5fb4fe..c941a66e51d1 100644 +index 8eadadc478f9..c36ecd19562c 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c -@@ -26,6 +26,9 @@ +@@ -21,6 +21,13 @@ #include <linux/bsearch.h> #include <linux/sort.h> +/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else +int unprivileged_userns_clone; ++#endif + static struct kmem_cache *user_ns_cachep __read_mostly; static DEFINE_MUTEX(userns_state_mutex); -- -2.19.0 +2.23.0 diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch deleted file mode 100644 index 7fa619f..0000000 --- a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Thu, 7 Dec 2017 13:50:48 +0100 -Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone - -This way our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/user_namespace.c | 4 ++++ - 2 files changed, 20 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index 4592bf7997c0..f3df02990aff 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1004,6 +1004,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 6b9dbc257e34..107b17f0d528 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -27,7 +27,11 @@ - #include <linux/sort.h> - - /* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else - int unprivileged_userns_clone; -+#endif - - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); --- -2.22.0 - @@ -1,13 +1,13 @@ # Maintainer: Joakim Hernberg <jbh@alchemy.lu> -# Contributor: David Runge <dave@sleepmap.de> +# Contributor: David Runge <dvzrv@archlinux.org> # Contributor: Ray Rashif <schiv@archlinux.org> # Contributor: timbosa <tinny_tim@dodo.com.au> # Contributor: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> # Contributor: Tobias Powalowski <tpowa@archlinux.org> # Contributor: Thomas Baechler <thomas@archlinux.org> -_pkgver=4.19.72 -_rtpatchver=26 +_pkgver=4.19.82 +_rtpatchver=30 pkgbase=linux-rt-lts pkgver=${_pkgver}.${_rtpatchver} pkgrel=1 @@ -23,9 +23,8 @@ source=( "https://www.kernel.org/pub/linux/kernel/v4.x/linux-${_pkgver}.tar.sign" "https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-${_pkgver}-rt${_rtpatchver}.patch.xz" "https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-${_pkgver}-rt${_rtpatchver}.patch.sign" - config # the main kernel config file - 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch + 'config' + '0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch' ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -35,13 +34,12 @@ validpgpkeys=( '5ED9A48FC54C0A22D1D0804CEBC26CDB5A56DE73' # Steven Rostedt 'E644E2F1D45FA0B2EAA02F33109F098506FF0B14' # Thomas Gleixner ) -sha256sums=('f9fcb6b3bd29115ac55fc154e300c3dce2044502732f6842ad6c25e6f9f51f6d' +sha256sums=('58d96d6c2c5ee8288fe9714891e4037a18f457b008e369e33fc744afc2cb595d' 'SKIP' - '7e360014f510daf6ab886f272531f98d9ae5cb5a55973a9b636346ac45f841f6' + 'c299a487a4a0446019b15241e132f6d570910eb18a968309f57b9bc8e44fc23a' 'SKIP' - 'e5a6ac3346c359353b3a7491bb77637870328a4bf3f3d57bf434a29b72632600' - '75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc' - '67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d') + 'ab71979485ff9771d264c692a1215b5657455e844a16e00656cba0c810a99a81' + 'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase @@ -54,7 +52,7 @@ prepare() { msg "applying patch-${_pkgver}-rt${_rtpatchver}.patch" patch -Np1 -i "../patch-${_pkgver}-rt${_rtpatchver}.patch" - msg2 "Setting version..." + echo "Setting version..." scripts/setlocalversion --save-scmversion echo "-$pkgrel" > localversion.10-pkgrel echo "${pkgbase#linux}" > localversion.20-pkgname @@ -64,17 +62,17 @@ prepare() { src="${src%%::*}" src="${src##*/}" [[ $src = *.patch ]] || continue - msg2 "Applying patch $src..." + echo "Applying patch $src..." patch -Np1 < "../$src" done - msg2 "Setting config..." + echo "Setting config..." cp ../config .config make olddefconfig # make menuconfig # CLI menu for configuration make -s kernelrelease > version - msg2 "Prepared %s version %s" "$pkgbase" "$(<version)" + echo "Prepared %s version %s" "$pkgbase" "$(<version)" } build() { @@ -92,7 +90,7 @@ _package() { local kernver="$(<version)" local modulesdir="$pkgdir/usr/lib/modules/$kernver" - msg2 "Installing boot image..." + echo "Installing boot image..." # systemd expects to find the kernel here to allow hibernation # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344 install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz" @@ -100,13 +98,13 @@ _package() { # Used by mkinitcpio to name the kernel echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase" - msg2 "Installing modules..." + echo "Installing modules..." make INSTALL_MOD_PATH="$pkgdir/usr" modules_install # remove build and source links rm "$modulesdir"/{source,build} - msg2 "Fixing permissions..." + echo "Fixing permissions..." chmod -Rc u=rwX,go=rX "$pkgdir" } @@ -116,7 +114,7 @@ _package-headers() { cd $_srcname local builddir="$pkgdir/usr/lib/modules/$(<version)/build" - msg2 "Installing build files..." + echo "Installing build files..." install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \ localversion.* version vmlinux install -Dt "$builddir/kernel" -m644 kernel/Makefile @@ -132,7 +130,7 @@ _package-headers() { # this is gone in v5.3 mkdir "$builddir/.tmp_versions" - msg2 "Installing headers..." + echo "Installing headers..." cp -t "$builddir" -a include cp -t "$builddir/arch/x86" -a arch/x86/include install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s @@ -148,10 +146,10 @@ _package-headers() { install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h - msg2 "Installing KConfig files..." + echo "Installing KConfig files..." find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \; - msg2 "Removing unneeded architectures..." + echo "Removing unneeded architectures..." local arch for arch in "$builddir"/arch/*/; do [[ $arch = */x86/ ]] && continue @@ -159,16 +157,16 @@ _package-headers() { rm -r "$arch" done - msg2 "Removing documentation..." + echo "Removing documentation..." rm -r "$builddir/Documentation" - msg2 "Removing broken symlinks..." + echo "Removing broken symlinks..." find -L "$builddir" -type l -printf 'Removing %P\n' -delete - msg2 "Removing loose objects..." + echo "Removing loose objects..." find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete - msg2 "Stripping build tools..." + echo "Stripping build tools..." local file while read -rd '' file; do case "$(file -bi "$file")" in @@ -183,11 +181,11 @@ _package-headers() { esac done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0) - msg2 "Adding symlink..." + echo "Adding symlink..." mkdir -p "$pkgdir/usr/src" ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase" - msg2 "Fixing permissions..." + echo "Fixing permissions..." chmod -Rc u=rwX,go=rX "$pkgdir" } @@ -197,14 +195,14 @@ _package-docs() { cd $_srcname local builddir="$pkgdir/usr/lib/modules/$(<version)/build" - msg2 "Installing documentation..." + echo "Installing documentation..." mkdir -p "$builddir" cp -t "$builddir" -a Documentation - msg2 "Removing doctrees..." + echo "Removing doctrees..." rm -r "$builddir/Documentation/output/.doctrees" - msg2 "Moving HTML docs..." + echo "Moving HTML docs..." local src dst while read -rd '' src; do dst="$builddir/Documentation/${src#$builddir/Documentation/output/}" @@ -213,11 +211,11 @@ _package-docs() { rmdir -p --ignore-fail-on-non-empty "${src%/*}" done < <(find "$builddir/Documentation/output" -type f -print0) - msg2 "Adding symlink..." + echo "Adding symlink..." mkdir -p "$pkgdir/usr/share/doc" ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase" - msg2 "Fixing permissions..." + echo "Fixing permissions..." chmod -Rc u=rwX,go=rX "$pkgdir" } @@ -1,13 +1,13 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.19.72 Kernel Configuration +# Linux/x86 4.19.82 Kernel Configuration # # -# Compiler: gcc (GCC) 9.1.0 +# Compiler: gcc (GCC) 9.2.0 # CONFIG_CC_IS_GCC=y -CONFIG_GCC_VERSION=90100 +CONFIG_GCC_VERSION=90200 CONFIG_CLANG_VERSION=0 CONFIG_CC_HAS_ASM_GOTO=y CONFIG_IRQ_WORK=y @@ -2061,7 +2061,6 @@ CONFIG_REGMAP_SPMI=m CONFIG_REGMAP_W1=m CONFIG_REGMAP_MMIO=y CONFIG_REGMAP_IRQ=y -CONFIG_REGMAP_SOUNDWIRE=m CONFIG_DMA_SHARED_BUFFER=y # CONFIG_DMA_FENCE_TRACE is not set @@ -7021,7 +7020,6 @@ CONFIG_USB_EMI62=m CONFIG_USB_EMI26=m CONFIG_USB_ADUTUX=m CONFIG_USB_SEVSEG=m -CONFIG_USB_RIO500=m CONFIG_USB_LEGOTOWER=m CONFIG_USB_LCD=m CONFIG_USB_CYPRESS_CY7C63=m @@ -8097,7 +8095,6 @@ CONFIG_SOUNDWIRE=y # # SoundWire Devices # -CONFIG_SOUNDWIRE_BUS=m CONFIG_SOUNDWIRE_CADENCE=m CONFIG_SOUNDWIRE_INTEL=m |