summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorPiotr Gorski2018-12-18 15:26:41 +0100
committerPiotr Gorski2018-12-18 15:26:41 +0100
commit1b5d53af34727927483f40e08350abf50bf90b8b (patch)
tree9825078cfcd934a178b0efebc8dfa07bd9f0835d
parent68ecd428e725e911feb0f8820123d8e0020cd7cb (diff)
downloadaur-1b5d53af34727927483f40e08350abf50bf90b8b.tar.gz
Reshuffle
Signed-off-by: Piotr Gorski <lucjan.lucjanov@gmail.com>
-rw-r--r--.SRCINFO4
-rw-r--r--0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch102
-rw-r--r--PKGBUILD8
3 files changed, 6 insertions, 108 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 7dcc66ee477b..74acd66523a8 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -16,24 +16,24 @@ pkgbase = linux-bfq-mq
source = https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v8.1+_kernel_v4.13+.patch
source = https://gitlab.com/sirlucjan/kernel-patches/raw/master/4.19/bfq-sq-mq/4.19-bfq-sq-mq-v9r1-2K181212-rc1.patch
source = https://gitlab.com/sirlucjan/kernel-patches/raw/master/4.19/0100-Check-presence-on-tree-of-every-entity-after-every-a.patch
+ source = https://gitlab.com/sirlucjan/kernel-patches/raw/master/4.19/arch-patches/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
source = config
source = 60-linux.hook
source = 90-linux.hook
source = 99-linux.hook
source = linux.preset
- source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
sha256sums = afe968ceeca93eac2173f9f95d90b2eeb489bafdd2083478ac0b7d0704b33e94
sha256sums = SKIP
sha256sums = 9f7177679c8d3f8d699ef0566a51349d828436dba04603bc2223f98c60d2d178
sha256sums = 8761152216a204b0bbf2bd581abc3f5cdf851cec8b807316528b72a7b552ef12
sha256sums = eb3cb1a9e487c54346b798b57f5b505f8a85fd1bc839d8f00b2925e6a7d74531
+ sha256sums = 1bc55e0c12f1ea9bf4b823fc78b91e12cf1cf1972f778484fbd5fa0d9e8264f2
sha256sums = 431c8b4ebc34d86c815d6af071d728a02872db9f5f6cc5e6542b0431264532ff
sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
sha256sums = c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636
sha256sums = ed9d35cb7d7bd829ff6253353efa5e2d119820fe4f4310aea536671f5e4caa37
sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65
- sha256sums = 37c115ad797afc7e47615dc56c6416932b6645e16da097ddcfa401df41a31248
pkgname = linux-bfq-mq
pkgdesc = The Linux-bfq-mq kernel and modules with the BFQ-MQ scheduler
diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
deleted file mode 100644
index 109640b12f2f..000000000000
--- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 4b38af06b758979fd674096c0a64f7af49ce3022 Mon Sep 17 00:00:00 2001
-From: Serge Hallyn <serge.hallyn@canonical.com>
-Date: Fri, 31 May 2013 19:12:12 +0100
-Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by
- default
-
-Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
-[bwh: Remove unneeded binary sysctl bits]
-Signed-off-by: Daniel Micay <danielmicay@gmail.com>
----
- kernel/fork.c | 15 +++++++++++++++
- kernel/sysctl.c | 12 ++++++++++++
- kernel/user_namespace.c | 3 +++
- 3 files changed, 30 insertions(+)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index f0b58479534f..8b2d927125c5 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -103,6 +103,11 @@
-
- #define CREATE_TRACE_POINTS
- #include <trace/events/task.h>
-+#ifdef CONFIG_USER_NS
-+extern int unprivileged_userns_clone;
-+#else
-+#define unprivileged_userns_clone 0
-+#endif
-
- /*
- * Minimum number of threads to boot the kernel
-@@ -1649,6 +1654,10 @@ static __latent_entropy struct task_struct *copy_process(
- if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
- return ERR_PTR(-EINVAL);
-
-+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
-+ if (!capable(CAP_SYS_ADMIN))
-+ return ERR_PTR(-EPERM);
-+
- /*
- * Thread groups must share signals as well, and detached threads
- * can only be started up within the thread group.
-@@ -2467,6 +2476,12 @@ int ksys_unshare(unsigned long unshare_flags)
- if (unshare_flags & CLONE_NEWNS)
- unshare_flags |= CLONE_FS;
-
-+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
-+ err = -EPERM;
-+ if (!capable(CAP_SYS_ADMIN))
-+ goto bad_unshare_out;
-+ }
-+
- err = check_unshare_flags(unshare_flags);
- if (err)
- goto bad_unshare_out;
-diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index cc02050fd0c4..ce2ad2b92897 100644
---- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -105,6 +105,9 @@ extern int core_uses_pid;
- extern char core_pattern[];
- extern unsigned int core_pipe_limit;
- #endif
-+#ifdef CONFIG_USER_NS
-+extern int unprivileged_userns_clone;
-+#endif
- extern int pid_max;
- extern int pid_max_min, pid_max_max;
- extern int percpu_pagelist_fraction;
-@@ -514,6 +517,15 @@ static struct ctl_table kern_table[] = {
- .proc_handler = proc_dointvec,
- },
- #endif
-+#ifdef CONFIG_USER_NS
-+ {
-+ .procname = "unprivileged_userns_clone",
-+ .data = &unprivileged_userns_clone,
-+ .maxlen = sizeof(int),
-+ .mode = 0644,
-+ .proc_handler = proc_dointvec,
-+ },
-+#endif
- #ifdef CONFIG_PROC_SYSCTL
- {
- .procname = "tainted",
-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index e5222b5fb4fe..c941a66e51d1 100644
---- a/kernel/user_namespace.c
-+++ b/kernel/user_namespace.c
-@@ -26,6 +26,9 @@
- #include <linux/bsearch.h>
- #include <linux/sort.h>
-
-+/* sysctl */
-+int unprivileged_userns_clone;
-+
- static struct kmem_cache *user_ns_cachep __read_mostly;
- static DEFINE_MUTEX(userns_state_mutex);
-
---
-2.19.1.542.gc4df23f792
-
diff --git a/PKGBUILD b/PKGBUILD
index b545cd0b4fce..fbf5fa0cecf7 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -88,6 +88,7 @@ source=(# mainline kernel patches
# bfq-mq patch
"${_lucjanpath}/${_bfq_sq_mq_path}/${_bfq_sq_mq_patch}"
"${_lucjanpath}/0100-Check-presence-on-tree-of-every-entity-after-every-a.patch"
+ "${_lucjanpath}/arch-patches/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch"
# the main kernel config files
'config'
# pacman hook for depmod
@@ -97,20 +98,19 @@ source=(# mainline kernel patches
# pacman hook for remove initramfs
'99-linux.hook'
# standard config files for mkinitcpio ramdisk
- 'linux.preset'
- '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch')
+ 'linux.preset')
sha256sums=('afe968ceeca93eac2173f9f95d90b2eeb489bafdd2083478ac0b7d0704b33e94'
'SKIP'
'9f7177679c8d3f8d699ef0566a51349d828436dba04603bc2223f98c60d2d178'
'8761152216a204b0bbf2bd581abc3f5cdf851cec8b807316528b72a7b552ef12'
'eb3cb1a9e487c54346b798b57f5b505f8a85fd1bc839d8f00b2925e6a7d74531'
+ '1bc55e0c12f1ea9bf4b823fc78b91e12cf1cf1972f778484fbd5fa0d9e8264f2'
'431c8b4ebc34d86c815d6af071d728a02872db9f5f6cc5e6542b0431264532ff'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636'
'ed9d35cb7d7bd829ff6253353efa5e2d119820fe4f4310aea536671f5e4caa37'
- 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
- '37c115ad797afc7e47615dc56c6416932b6645e16da097ddcfa401df41a31248')
+ 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65')
validpgpkeys=(
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
)