diff options
| author | David Runge | 2019-11-13 22:22:14 +0100 |
|---|---|---|
| committer | David Runge | 2019-11-13 22:22:14 +0100 |
| commit | 8f76da3b3a80985bbf9aee2560fe6f3bb93ba1da (patch) | |
| tree | 1bc02a9f7433eca9389b5178ad1ac5c41e06cf83 /0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | |
| parent | df0241f1b924a5a2efda69969b4cba1a5a1ce1bb (diff) | |
| download | aur-8f76da3b3a80985bbf9aee2560fe6f3bb93ba1da.tar.gz | |
PKGBUILD: Ugrading to 4.19.82.30. Updating maintainer info. Merging current Arch specific patches. Replacing all msg2 calls with echo.
Diffstat (limited to '0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch')
| -rw-r--r-- | 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch deleted file mode 100644 index 7fa619f1c84c..000000000000 --- a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Thu, 7 Dec 2017 13:50:48 +0100 -Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone - -This way our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/user_namespace.c | 4 ++++ - 2 files changed, 20 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index 4592bf7997c0..f3df02990aff 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1004,6 +1004,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 6b9dbc257e34..107b17f0d528 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -27,7 +27,11 @@ - #include <linux/sort.h> - - /* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else - int unprivileged_userns_clone; -+#endif - - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); --- -2.22.0 - |