summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorFigue2017-12-08 10:22:46 +0100
committerFigue2017-12-08 10:22:46 +0100
commit55c2dbb9dfde34ce6d44f46a94483ad967e7f997 (patch)
treeec83e0074ca0a41279b9d455104be61e6388c735
parente5583b3c564ebc34a43a2cfe1dddfef228cc3c54 (diff)
downloadaur-55c2dbb9dfde34ce6d44f46a94483ad967e7f997.tar.gz
4.14.4-2-bld
Diffstat
-rw-r--r--.SRCINFO8
-rw-r--r--0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch102
-rw-r--r--PKGBUILD14
3 files changed, 116 insertions, 8 deletions
diff --git a/.SRCINFO b/.SRCINFO
index dd8da279a61c..2b294762f920 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = linux-bld
pkgver = 4.14.4
- pkgrel = 1
+ pkgrel = 2
url = https://github.com/rmullick/linux
arch = x86_64
license = GPL2
@@ -17,8 +17,9 @@ pkgbase = linux-bld
source = 60-linux.hook
source = 90-linux.hook
source = linux-bld.preset
- source = config::https://git.archlinux.org/svntogit/packages.git/plain/trunk/config?h=packages/linux&id=8aee2fcbaf3fe676199bde199f9074e90f736681
+ source = config::https://git.archlinux.org/svntogit/packages.git/plain/trunk/config?h=packages/linux&id=e42e6ffc6243370215eb33690b3c68f96f181cdb
source = https://raw.githubusercontent.com/rmullick/bld-patches/master/BLD-4.14.patch
+ source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7
@@ -28,8 +29,9 @@ pkgbase = linux-bld
sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919
sha256sums = 5b51a1eacb3e00b304ca54d31f467ec1fb15fdfce93f1c62963d087bf753e812
- sha256sums = a68e94064f040d60e8e4c3380efeee085b54d252d527e960dd17ac688505d5b6
+ sha256sums = 12a7bd958a820315d8d8be7544976e8a8aa1fb7aa27fcf8377ca68317e3e70a9
sha256sums = 80b697edb27534e0651609708faaa9f933c8bbc198d410f6cd50ef9ae2128794
+ sha256sums = 37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85
pkgname = linux-bld
pkgdesc = The Linux-bld kernel and modules with BLD patches
diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
new file mode 100644
index 000000000000..29582c2bf608
--- /dev/null
+++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
@@ -0,0 +1,102 @@
+From 5ec2dd3a095442ec1a21d86042a4994f2ba24e63 Mon Sep 17 00:00:00 2001
+Message-Id: <5ec2dd3a095442ec1a21d86042a4994f2ba24e63.1512651251.git.jan.steffens@gmail.com>
+From: Serge Hallyn <serge.hallyn@canonical.com>
+Date: Fri, 31 May 2013 19:12:12 +0100
+Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default
+
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+[bwh: Remove unneeded binary sysctl bits]
+Signed-off-by: Daniel Micay <danielmicay@gmail.com>
+---
+ kernel/fork.c | 15 +++++++++++++++
+ kernel/sysctl.c | 12 ++++++++++++
+ kernel/user_namespace.c | 3 +++
+ 3 files changed, 30 insertions(+)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 07cc743698d3668e..4011d68a8ff9305c 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -102,6 +102,11 @@
+
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/task.h>
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#else
++#define unprivileged_userns_clone 0
++#endif
+
+ /*
+ * Minimum number of threads to boot the kernel
+@@ -1555,6 +1560,10 @@ static __latent_entropy struct task_struct *copy_process(
+ if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ return ERR_PTR(-EINVAL);
+
++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
++ if (!capable(CAP_SYS_ADMIN))
++ return ERR_PTR(-EPERM);
++
+ /*
+ * Thread groups must share signals as well, and detached threads
+ * can only be started up within the thread group.
+@@ -2348,6 +2357,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+ if (unshare_flags & CLONE_NEWNS)
+ unshare_flags |= CLONE_FS;
+
++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
++ err = -EPERM;
++ if (!capable(CAP_SYS_ADMIN))
++ goto bad_unshare_out;
++ }
++
+ err = check_unshare_flags(unshare_flags);
+ if (err)
+ goto bad_unshare_out;
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index b86520ed3fb60fbf..f7dab3760839f1a1 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -105,6 +105,9 @@ extern int core_uses_pid;
+ extern char core_pattern[];
+ extern unsigned int core_pipe_limit;
+ #endif
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#endif
+ extern int pid_max;
+ extern int pid_max_min, pid_max_max;
+ extern int percpu_pagelist_fraction;
+@@ -513,6 +516,15 @@ static struct ctl_table kern_table[] = {
+ .proc_handler = proc_dointvec,
+ },
+ #endif
++#ifdef CONFIG_USER_NS
++ {
++ .procname = "unprivileged_userns_clone",
++ .data = &unprivileged_userns_clone,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec,
++ },
++#endif
+ #ifdef CONFIG_PROC_SYSCTL
+ {
+ .procname = "tainted",
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index c490f1e4313b998a..dd03bd39d7bf194d 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -24,6 +24,9 @@
+ #include <linux/projid.h>
+ #include <linux/fs_struct.h>
+
++/* sysctl */
++int unprivileged_userns_clone;
++
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+
+--
+2.15.1
+
diff --git a/PKGBUILD b/PKGBUILD
index 6a7a38a474e1..b5e7cc446421 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -8,14 +8,14 @@ _kernelname=-bld
pkgver=4.14.4
_srcname=linux-4.14
_pkgver2=${_srcname#*-}.0
-pkgrel=1
+pkgrel=2
arch=('x86_64')
url="https://github.com/rmullick/linux"
license=('GPL2')
makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf')
options=('!strip')
_BLDpatch="BLD-${_srcname#*-}.patch"
-arch_config_trunk=8aee2fcbaf3fe676199bde199f9074e90f736681
+arch_config_trunk=e42e6ffc6243370215eb33690b3c68f96f181cdb
source=("http://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
"https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign"
"http://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.xz"
@@ -28,6 +28,7 @@ source=("http://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
"config::https://git.archlinux.org/svntogit/packages.git/plain/trunk/config?h=packages/linux&id=${arch_config_trunk}"
# main BLD patch
"https://raw.githubusercontent.com/rmullick/bld-patches/master/${_BLDpatch}"
+ "0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch"
)
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
@@ -37,8 +38,9 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'5b51a1eacb3e00b304ca54d31f467ec1fb15fdfce93f1c62963d087bf753e812'
- 'a68e94064f040d60e8e4c3380efeee085b54d252d527e960dd17ac688505d5b6'
- '80b697edb27534e0651609708faaa9f933c8bbc198d410f6cd50ef9ae2128794')
+ '12a7bd958a820315d8d8be7544976e8a8aa1fb7aa27fcf8377ca68317e3e70a9'
+ '80b697edb27534e0651609708faaa9f933c8bbc198d410f6cd50ef9ae2128794'
+ '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85')
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -73,7 +75,9 @@ prepare() {
msg2 "BLD patches"
patch -Np1 -i "${srcdir}/${_BLDpatch}"
-# msg2 "Patches from Archlinux standard package"
+ msg2 "Patches from Archlinux standard package"
+ # disable USER_NS for non-root users by default
+ patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
cp -Tf ../config .config