diff options
author | David P <megver83@parabola.nu> | 2019-07-19 12:07:57 -0400 |
---|---|---|
committer | David P <megver83@parabola.nu> | 2019-07-19 12:07:57 -0400 |
commit | 480c832cea9cc601009365b043a19e000a5f1e6e (patch) | |
tree | 09b767c89338a79d3911d56296891831385802a4 /libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | |
parent | c6a84430d8fada6e5d83ca1bc1046fe7efe19a1b (diff) | |
download | abslibre-480c832cea9cc601009365b043a19e000a5f1e6e.tar.gz abslibre-480c832cea9cc601009365b043a19e000a5f1e6e.tar.bz2 abslibre-480c832cea9cc601009365b043a19e000a5f1e6e.zip |
upgpkg: libre/linux-libre-pae 5.2.1_gnu-1
Signed-off-by: David P <megver83@parabola.nu>
Diffstat (limited to 'libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch')
-rw-r--r-- | libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000..4143407b4 --- /dev/null +++ b/libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,57 @@ +From 0bced488c460e3e9c9b0cdbca884f1704f6877f7 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Thu, 7 Dec 2017 13:50:48 +0100 +Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone + +This way our default behavior continues to match the vanilla kernel. +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 0e2344389501..96f76927710a 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1013,6 +1013,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index b2f8b5777670..aa27ecacfb1e 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,7 +22,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.22.0 + |