summaryrefslogtreecommitdiff
path: root/libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
diff options
context:
space:
mode:
Diffstat (limited to 'libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch')
-rw-r--r--libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch57
1 files changed, 57 insertions, 0 deletions
diff --git a/libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
new file mode 100644
index 000000000..4143407b4
--- /dev/null
+++ b/libre/linux-libre-pae/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
@@ -0,0 +1,57 @@
+From 0bced488c460e3e9c9b0cdbca884f1704f6877f7 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Thu, 7 Dec 2017 13:50:48 +0100
+Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone
+
+This way our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig | 16 ++++++++++++++++
+ kernel/user_namespace.c | 4 ++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 0e2344389501..96f76927710a 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1013,6 +1013,22 @@ config USER_NS
+
+ If unsure, say N.
+
++config USER_NS_UNPRIVILEGED
++ bool "Allow unprivileged users to create namespaces"
++ default y
++ depends on USER_NS
++ help
++ When disabled, unprivileged users will not be able to create
++ new namespaces. Allowing users to create their own namespaces
++ has been part of several recent local privilege escalation
++ exploits, so if you need user namespaces but are
++ paranoid^Wsecurity-conscious you want to disable this.
++
++ This setting can be overridden at runtime via the
++ kernel.unprivileged_userns_clone sysctl.
++
++ If unsure, say Y.
++
+ config PID_NS
+ bool "PID Namespaces"
+ default y
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index b2f8b5777670..aa27ecacfb1e 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -22,7 +22,11 @@
+ #include <linux/sort.h>
+
+ /* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
+ int unprivileged_userns_clone;
++#endif
+
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+--
+2.22.0
+