diff options
author | graysky | 2019-06-12 13:50:45 -0400 |
---|---|---|
committer | graysky | 2019-06-12 13:50:45 -0400 |
commit | 8fd1b751daf573e641d7f398502538ff7ddba3c6 (patch) | |
tree | 30866bd32105338daf6a0458e5618474312572e9 /0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | |
parent | 16be7f665705d73b0f5c8a8d455221b76c8dc225 (diff) | |
download | aur-8fd1b751daf573e641d7f398502538ff7ddba3c6.tar.gz |
Update to 5.1.9-1
Diffstat (limited to '0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch')
-rw-r--r-- | 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..dfa89cceaeac --- /dev/null +++ b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,57 @@ +From b30ec6648774140adcbfc9b0e813ecfd0785f79d Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Thu, 7 Dec 2017 13:50:48 +0100 +Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone + +This way our default behavior continues to match the vanilla kernel. +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4592bf7997c0..f3df02990aff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1004,6 +1004,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 6b9dbc257e34..107b17f0d528 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -27,7 +27,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.22.0 + |