diff options
Diffstat (limited to 'kernels/linux-libre-x86_64/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch')
-rw-r--r-- | kernels/linux-libre-x86_64/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/kernels/linux-libre-x86_64/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/kernels/linux-libre-x86_64/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch deleted file mode 100644 index f72b49a4e..000000000 --- a/kernels/linux-libre-x86_64/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 52deaa0f77df6fdd3ae785cfdd21c0bb39247bed Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Thu, 7 Dec 2017 13:50:48 +0100 -Subject: [PATCH 2/5] ZEN: Add CONFIG for unprivileged_userns_clone - -This way our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/user_namespace.c | 4 ++++ - 2 files changed, 20 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index 0e2344389501..96f76927710a 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1013,6 +1013,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index b2f8b5777670..aa27ecacfb1e 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -22,7 +22,11 @@ - #include <linux/sort.h> - - /* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else - int unprivileged_userns_clone; -+#endif - - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); --- -2.22.0 - |