diff options
| author | charveey | 2020-02-12 05:09:47 +0000 |
|---|---|---|
| committer | charveey | 2020-02-12 05:09:47 +0000 |
| commit | 6255045d3aa088162701c43729ce67f382ebdfeb (patch) | |
| tree | 93528583fdd33f40355cd2f980a5faa2fe969a85 /0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | |
| parent | a10bc0064f2a2af38bb346929e5b3410f2c67182 (diff) | |
| download | aur-6255045d3aa088162701c43729ce67f382ebdfeb.tar.gz | |
updated to 5.5.3
Diffstat (limited to '0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch')
| -rw-r--r-- | 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch deleted file mode 100644 index dfa89cceaeac..000000000000 --- a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b30ec6648774140adcbfc9b0e813ecfd0785f79d Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Thu, 7 Dec 2017 13:50:48 +0100 -Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone - -This way our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/user_namespace.c | 4 ++++ - 2 files changed, 20 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index 4592bf7997c0..f3df02990aff 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1004,6 +1004,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 6b9dbc257e34..107b17f0d528 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -27,7 +27,11 @@ - #include <linux/sort.h> - - /* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else - int unprivileged_userns_clone; -+#endif - - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); --- -2.22.0 - |