diff options
author | graysky | 2019-02-23 14:14:04 -0500 |
---|---|---|
committer | graysky | 2019-02-23 14:14:04 -0500 |
commit | e46fb53095ad5970d53d9c3a2200a3c5f7e7f9d7 (patch) | |
tree | ea3d5667d60c3bcf0ebe7247c06df043f0392dd1 | |
parent | 0411bf0858d2ef16a450915e02619f4389806175 (diff) | |
download | aur-e46fb53095ad5970d53d9c3a2200a3c5f7e7f9d7.tar.gz |
Update to 4.20.12-4
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 102 | ||||
-rw-r--r-- | 0002-exec-Fix-mem-leak-in-kernel_read_file.patch (renamed from 0001-exec-Fix-mem-leak-in-kernel_read_file.patch) | 2 | ||||
-rw-r--r-- | PKGBUILD | 8 |
4 files changed, 114 insertions, 8 deletions
@@ -1,8 +1,8 @@ # Generated by mksrcinfo v8 -# Sat Feb 23 11:52:03 UTC 2019 +# Sat Feb 23 19:14:04 UTC 2019 pkgbase = linux-ck pkgver = 4.20.12 - pkgrel = 3 + pkgrel = 4 url = https://wiki.archlinux.org/index.php/Linux-ck arch = x86_64 license = GPL2 @@ -20,7 +20,8 @@ pkgbase = linux-ck source = enable_additional_cpu_optimizations-20180509.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/20180509.tar.gz source = http://ck.kolivas.org/patches/4.0/4.20/4.20-ck1/patch-4.20-ck1.xz source = 0000-unfuck-ck1-for-kvm-intel-symbol.patch - source = 0001-exec-Fix-mem-leak-in-kernel_read_file.patch + source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + source = 0002-exec-Fix-mem-leak-in-kernel_read_file.patch sha256sums = 1cf544308195250805e0731c716691bea4c1ed29e03e6f9ae5be6dc16785a504 sha256sums = SKIP sha256sums = 4ff10c16fa729f808e812e3ff53ef8087ab9c220c84d860676d3bfb5c1c63c5d @@ -30,7 +31,8 @@ pkgbase = linux-ck sha256sums = 226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d sha256sums = 4bd614333fcbe509118b5362889f76d241e1d33e1ee691bd24fd82384ce7f2de sha256sums = 3e8c7d3015bb593e8a861be0b2b9f1de74fcb25e00c6e3eacee3165c6bec6f64 - sha256sums = a8962ae10431de7c5eebe07a34fff5acd613904865dcabbcea03e8108d11b1fb + sha256sums = 55823bb3ca652d917ba79860d595b479ec20c22a7c6854cbef901d44b4196316 + sha256sums = bbf31b3a6af1db882cb63bd5e5385f174f2345272acaf18f129712a0a726689b pkgname = linux-ck pkgdesc = The Linux-ck kernel and modules with the ck1 patchset featuring MuQSS CPU scheduler v0.185 diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000000..4a24f9ce9682 --- /dev/null +++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,102 @@ +From 884528c4629b0b333061c191d9b26081431dbfd3 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH 1/3] add sysctl to disallow unprivileged CLONE_NEWUSER by + default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + kernel/fork.c | 15 +++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 3 files changed, 30 insertions(+) + +diff --git a/kernel/fork.c b/kernel/fork.c +index 906cd0c13d15..0d1d30ad91e7 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -104,6 +104,11 @@ + + #define CREATE_TRACE_POINTS + #include <trace/events/task.h> ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#else ++#define unprivileged_userns_clone 0 ++#endif + + /* + * Minimum number of threads to boot the kernel +@@ -1699,6 +1704,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2532,6 +2541,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 9ee261fce89e..ab26ddeab33d 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ extern int core_uses_pid; + extern char core_pattern[]; + extern unsigned int core_pipe_limit; + #endif ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#endif + extern int pid_max; + extern int pid_max_min, pid_max_max; + extern int percpu_pagelist_fraction; +@@ -515,6 +518,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 923414a246e9..6b9dbc257e34 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -26,6 +26,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.20.1 + diff --git a/0001-exec-Fix-mem-leak-in-kernel_read_file.patch b/0002-exec-Fix-mem-leak-in-kernel_read_file.patch index bed047b765a2..750e105d3741 100644 --- a/0001-exec-Fix-mem-leak-in-kernel_read_file.patch +++ b/0002-exec-Fix-mem-leak-in-kernel_read_file.patch @@ -1,4 +1,4 @@ -From 3096ba94fa87b22664baa91e71a55ce698bb8aed Mon Sep 17 00:00:00 2001 +From e4817043e07f7414acdb25aa0d0689cb30a5fc2b Mon Sep 17 00:00:00 2001 From: YueHaibing <yuehaibing@huawei.com> Date: Tue, 19 Feb 2019 10:10:38 +0800 Subject: [PATCH 2/3] exec: Fix mem leak in kernel_read_file @@ -63,7 +63,7 @@ _localmodcfg= pkgbase=linux-ck _srcver=4.20.12-arch1 pkgver=${_srcver%-*} -pkgrel=3 +pkgrel=4 _ckpatchversion=1 arch=(x86_64) url="https://wiki.archlinux.org/index.php/Linux-ck" @@ -81,7 +81,8 @@ source=( "enable_additional_cpu_optimizations-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/$_gcc_more_v.tar.gz" "http://ck.kolivas.org/patches/4.0/4.20/4.20-ck${_ckpatchversion}/$_ckpatch.xz" 0000-unfuck-ck1-for-kvm-intel-symbol.patch - 0001-exec-Fix-mem-leak-in-kernel_read_file.patch + 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0002-exec-Fix-mem-leak-in-kernel_read_file.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -96,7 +97,8 @@ sha256sums=('1cf544308195250805e0731c716691bea4c1ed29e03e6f9ae5be6dc16785a504' '226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d' '4bd614333fcbe509118b5362889f76d241e1d33e1ee691bd24fd82384ce7f2de' '3e8c7d3015bb593e8a861be0b2b9f1de74fcb25e00c6e3eacee3165c6bec6f64' - 'a8962ae10431de7c5eebe07a34fff5acd613904865dcabbcea03e8108d11b1fb') + '55823bb3ca652d917ba79860d595b479ec20c22a7c6854cbef901d44b4196316' + 'bbf31b3a6af1db882cb63bd5e5385f174f2345272acaf18f129712a0a726689b') _kernelname=${pkgbase#linux} : ${_kernelname:=-ARCH} |