diff options
| author | David P <megver83@parabola.nu> | 2020-04-27 18:24:44 -0400 |
|---|---|---|
| committer | David P <megver83@parabola.nu> | 2020-04-27 18:28:38 -0400 |
| commit | a5dea4f2300de846d3d9967ffdfd3b3bea4e8d70 (patch) | |
| tree | 8fdf7e40b41e26cf8a1249fd3d384ae2bfac6823 /kernels/linux-libre-xtreme/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | |
| parent | 940cbcb215b3a06b0f6a85c0700d6d642d1bebc8 (diff) | |
| download | abslibre-a5dea4f2300de846d3d9967ffdfd3b3bea4e8d70.tar.gz abslibre-a5dea4f2300de846d3d9967ffdfd3b3bea4e8d70.tar.bz2 abslibre-a5dea4f2300de846d3d9967ffdfd3b3bea4e8d70.zip | |
rmpkg: kernels/linux-libre-xtreme
Reason: Linux-libre{-hardened} enables all LSM by default in i686 and x86_64 since a long time.
Although it kinda made sense because it had AppArmor enabled by default, it's not worth to maintain
it since anyone can enable it by passing a kernel parameter, as explained in the AppArmor page in
ArchWiki. This isn't the case for armv7h, but will see if users want AppArmor for ARM in the future.
Signed-off-by: David P <megver83@parabola.nu>
Diffstat (limited to 'kernels/linux-libre-xtreme/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch')
| -rw-r--r-- | kernels/linux-libre-xtreme/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | 132 |
1 files changed, 0 insertions, 132 deletions
diff --git a/kernels/linux-libre-xtreme/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/kernels/linux-libre-xtreme/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch deleted file mode 100644 index f2a08ca64..000000000 --- a/kernels/linux-libre-xtreme/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ /dev/null @@ -1,132 +0,0 @@ -From b7ea2fa503702cbbd1eb2d38371b5650aab88666 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Mon, 16 Sep 2019 04:53:20 +0200 -Subject: [PATCH 01/11] ZEN: Add sysctl and CONFIG to disallow unprivileged - CLONE_NEWUSER - -Our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 15 +++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 4 files changed, 50 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index 74297c392dd4..44221292a9eb 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1102,6 +1102,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index 080809560072..1cb7b827b57b 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -106,6 +106,11 @@ - - #define CREATE_TRACE_POINTS - #include <trace/events/task.h> -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#else -+#define unprivileged_userns_clone 0 -+#endif - - /* - * Minimum number of threads to boot the kernel -@@ -1843,6 +1848,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2923,6 +2932,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 70665934d53e..9797869ed829 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -110,6 +110,9 @@ extern int core_uses_pid; - extern char core_pattern[]; - extern unsigned int core_pipe_limit; - #endif -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#endif - extern int pid_max; - extern int pid_max_min, pid_max_max; - extern int percpu_pagelist_fraction; -@@ -546,6 +549,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 8eadadc478f9..c36ecd19562c 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -21,6 +21,13 @@ - #include <linux/bsearch.h> - #include <linux/sort.h> - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -2.26.0 - |