diff options
author | Piotr Gorski | 2018-12-18 15:26:41 +0100 |
---|---|---|
committer | Piotr Gorski | 2018-12-18 15:26:41 +0100 |
commit | 1b5d53af34727927483f40e08350abf50bf90b8b (patch) | |
tree | 9825078cfcd934a178b0efebc8dfa07bd9f0835d | |
parent | 68ecd428e725e911feb0f8820123d8e0020cd7cb (diff) | |
download | aur-1b5d53af34727927483f40e08350abf50bf90b8b.tar.gz |
Reshuffle
Signed-off-by: Piotr Gorski <lucjan.lucjanov@gmail.com>
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 102 | ||||
-rw-r--r-- | PKGBUILD | 8 |
3 files changed, 6 insertions, 108 deletions
@@ -16,24 +16,24 @@ pkgbase = linux-bfq-mq source = https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v8.1+_kernel_v4.13+.patch source = https://gitlab.com/sirlucjan/kernel-patches/raw/master/4.19/bfq-sq-mq/4.19-bfq-sq-mq-v9r1-2K181212-rc1.patch source = https://gitlab.com/sirlucjan/kernel-patches/raw/master/4.19/0100-Check-presence-on-tree-of-every-entity-after-every-a.patch + source = https://gitlab.com/sirlucjan/kernel-patches/raw/master/4.19/arch-patches/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch source = config source = 60-linux.hook source = 90-linux.hook source = 99-linux.hook source = linux.preset - source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E sha256sums = afe968ceeca93eac2173f9f95d90b2eeb489bafdd2083478ac0b7d0704b33e94 sha256sums = SKIP sha256sums = 9f7177679c8d3f8d699ef0566a51349d828436dba04603bc2223f98c60d2d178 sha256sums = 8761152216a204b0bbf2bd581abc3f5cdf851cec8b807316528b72a7b552ef12 sha256sums = eb3cb1a9e487c54346b798b57f5b505f8a85fd1bc839d8f00b2925e6a7d74531 + sha256sums = 1bc55e0c12f1ea9bf4b823fc78b91e12cf1cf1972f778484fbd5fa0d9e8264f2 sha256sums = 431c8b4ebc34d86c815d6af071d728a02872db9f5f6cc5e6542b0431264532ff sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636 sha256sums = ed9d35cb7d7bd829ff6253353efa5e2d119820fe4f4310aea536671f5e4caa37 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 - sha256sums = 37c115ad797afc7e47615dc56c6416932b6645e16da097ddcfa401df41a31248 pkgname = linux-bfq-mq pkgdesc = The Linux-bfq-mq kernel and modules with the BFQ-MQ scheduler diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch deleted file mode 100644 index 109640b12f2f..000000000000 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 4b38af06b758979fd674096c0a64f7af49ce3022 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn <serge.hallyn@canonical.com> -Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by - default - -Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> -[bwh: Remove unneeded binary sysctl bits] -Signed-off-by: Daniel Micay <danielmicay@gmail.com> ---- - kernel/fork.c | 15 +++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 3 +++ - 3 files changed, 30 insertions(+) - -diff --git a/kernel/fork.c b/kernel/fork.c -index f0b58479534f..8b2d927125c5 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -103,6 +103,11 @@ - - #define CREATE_TRACE_POINTS - #include <trace/events/task.h> -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#else -+#define unprivileged_userns_clone 0 -+#endif - - /* - * Minimum number of threads to boot the kernel -@@ -1649,6 +1654,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2467,6 +2476,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index cc02050fd0c4..ce2ad2b92897 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -105,6 +105,9 @@ extern int core_uses_pid; - extern char core_pattern[]; - extern unsigned int core_pipe_limit; - #endif -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#endif - extern int pid_max; - extern int pid_max_min, pid_max_max; - extern int percpu_pagelist_fraction; -@@ -514,6 +517,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index e5222b5fb4fe..c941a66e51d1 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -26,6 +26,9 @@ - #include <linux/bsearch.h> - #include <linux/sort.h> - -+/* sysctl */ -+int unprivileged_userns_clone; -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -2.19.1.542.gc4df23f792 - @@ -88,6 +88,7 @@ source=(# mainline kernel patches # bfq-mq patch "${_lucjanpath}/${_bfq_sq_mq_path}/${_bfq_sq_mq_patch}" "${_lucjanpath}/0100-Check-presence-on-tree-of-every-entity-after-every-a.patch" + "${_lucjanpath}/arch-patches/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch" # the main kernel config files 'config' # pacman hook for depmod @@ -97,20 +98,19 @@ source=(# mainline kernel patches # pacman hook for remove initramfs '99-linux.hook' # standard config files for mkinitcpio ramdisk - 'linux.preset' - '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch') + 'linux.preset') sha256sums=('afe968ceeca93eac2173f9f95d90b2eeb489bafdd2083478ac0b7d0704b33e94' 'SKIP' '9f7177679c8d3f8d699ef0566a51349d828436dba04603bc2223f98c60d2d178' '8761152216a204b0bbf2bd581abc3f5cdf851cec8b807316528b72a7b552ef12' 'eb3cb1a9e487c54346b798b57f5b505f8a85fd1bc839d8f00b2925e6a7d74531' + '1bc55e0c12f1ea9bf4b823fc78b91e12cf1cf1972f778484fbd5fa0d9e8264f2' '431c8b4ebc34d86c815d6af071d728a02872db9f5f6cc5e6542b0431264532ff' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' 'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636' 'ed9d35cb7d7bd829ff6253353efa5e2d119820fe4f4310aea536671f5e4caa37' - 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' - '37c115ad797afc7e47615dc56c6416932b6645e16da097ddcfa401df41a31248') + 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65') validpgpkeys=( '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) |