diff options
author | Figue | 2017-12-08 10:22:46 +0100 |
---|---|---|
committer | Figue | 2017-12-08 10:22:46 +0100 |
commit | 55c2dbb9dfde34ce6d44f46a94483ad967e7f997 (patch) | |
tree | ec83e0074ca0a41279b9d455104be61e6388c735 | |
parent | e5583b3c564ebc34a43a2cfe1dddfef228cc3c54 (diff) | |
download | aur-55c2dbb9dfde34ce6d44f46a94483ad967e7f997.tar.gz |
4.14.4-2-bld
-rw-r--r-- | .SRCINFO | 8 | ||||
-rw-r--r-- | 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 102 | ||||
-rw-r--r-- | PKGBUILD | 14 |
3 files changed, 116 insertions, 8 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-bld pkgver = 4.14.4 - pkgrel = 1 + pkgrel = 2 url = https://github.com/rmullick/linux arch = x86_64 license = GPL2 @@ -17,8 +17,9 @@ pkgbase = linux-bld source = 60-linux.hook source = 90-linux.hook source = linux-bld.preset - source = config::https://git.archlinux.org/svntogit/packages.git/plain/trunk/config?h=packages/linux&id=8aee2fcbaf3fe676199bde199f9074e90f736681 + source = config::https://git.archlinux.org/svntogit/packages.git/plain/trunk/config?h=packages/linux&id=e42e6ffc6243370215eb33690b3c68f96f181cdb source = https://raw.githubusercontent.com/rmullick/bld-patches/master/BLD-4.14.patch + source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7 @@ -28,8 +29,9 @@ pkgbase = linux-bld sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = 5b51a1eacb3e00b304ca54d31f467ec1fb15fdfce93f1c62963d087bf753e812 - sha256sums = a68e94064f040d60e8e4c3380efeee085b54d252d527e960dd17ac688505d5b6 + sha256sums = 12a7bd958a820315d8d8be7544976e8a8aa1fb7aa27fcf8377ca68317e3e70a9 sha256sums = 80b697edb27534e0651609708faaa9f933c8bbc198d410f6cd50ef9ae2128794 + sha256sums = 37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85 pkgname = linux-bld pkgdesc = The Linux-bld kernel and modules with BLD patches diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000000..29582c2bf608 --- /dev/null +++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,102 @@ +From 5ec2dd3a095442ec1a21d86042a4994f2ba24e63 Mon Sep 17 00:00:00 2001 +Message-Id: <5ec2dd3a095442ec1a21d86042a4994f2ba24e63.1512651251.git.jan.steffens@gmail.com> +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + kernel/fork.c | 15 +++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 3 files changed, 30 insertions(+) + +diff --git a/kernel/fork.c b/kernel/fork.c +index 07cc743698d3668e..4011d68a8ff9305c 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -102,6 +102,11 @@ + + #define CREATE_TRACE_POINTS + #include <trace/events/task.h> ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#else ++#define unprivileged_userns_clone 0 ++#endif + + /* + * Minimum number of threads to boot the kernel +@@ -1555,6 +1560,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2348,6 +2357,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b86520ed3fb60fbf..f7dab3760839f1a1 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -105,6 +105,9 @@ extern int core_uses_pid; + extern char core_pattern[]; + extern unsigned int core_pipe_limit; + #endif ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#endif + extern int pid_max; + extern int pid_max_min, pid_max_max; + extern int percpu_pagelist_fraction; +@@ -513,6 +516,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index c490f1e4313b998a..dd03bd39d7bf194d 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -24,6 +24,9 @@ + #include <linux/projid.h> + #include <linux/fs_struct.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.15.1 + @@ -8,14 +8,14 @@ _kernelname=-bld pkgver=4.14.4 _srcname=linux-4.14 _pkgver2=${_srcname#*-}.0 -pkgrel=1 +pkgrel=2 arch=('x86_64') url="https://github.com/rmullick/linux" license=('GPL2') makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf') options=('!strip') _BLDpatch="BLD-${_srcname#*-}.patch" -arch_config_trunk=8aee2fcbaf3fe676199bde199f9074e90f736681 +arch_config_trunk=e42e6ffc6243370215eb33690b3c68f96f181cdb source=("http://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz" "https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign" "http://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.xz" @@ -28,6 +28,7 @@ source=("http://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz" "config::https://git.archlinux.org/svntogit/packages.git/plain/trunk/config?h=packages/linux&id=${arch_config_trunk}" # main BLD patch "https://raw.githubusercontent.com/rmullick/bld-patches/master/${_BLDpatch}" + "0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch" ) sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' @@ -37,8 +38,9 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' '5b51a1eacb3e00b304ca54d31f467ec1fb15fdfce93f1c62963d087bf753e812' - 'a68e94064f040d60e8e4c3380efeee085b54d252d527e960dd17ac688505d5b6' - '80b697edb27534e0651609708faaa9f933c8bbc198d410f6cd50ef9ae2128794') + '12a7bd958a820315d8d8be7544976e8a8aa1fb7aa27fcf8377ca68317e3e70a9' + '80b697edb27534e0651609708faaa9f933c8bbc198d410f6cd50ef9ae2128794' + '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -73,7 +75,9 @@ prepare() { msg2 "BLD patches" patch -Np1 -i "${srcdir}/${_BLDpatch}" -# msg2 "Patches from Archlinux standard package" + msg2 "Patches from Archlinux standard package" + # disable USER_NS for non-root users by default + patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch cp -Tf ../config .config |