diff options
| author | Joan Figueras | 2021-02-21 12:37:42 +0100 |
|---|---|---|
| committer | Joan Figueras | 2021-02-21 12:37:42 +0100 |
| commit | 9f0fdf6cac5084ae31c16db34c4ecf91cbbea228 (patch) | |
| tree | 99919bd263aaa6217af06979ba4cdcd130377573 | |
| parent | 0b33e08bc74a1ba38ba1c3c7fa48691bee91e121 (diff) | |
| download | aur-9f0fdf6cac5084ae31c16db34c4ecf91cbbea228.tar.gz | |
5.10.17-rt32-xanmod1
| -rw-r--r-- | .SRCINFO | 8 | ||||
| -rw-r--r-- | 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch | 133 | ||||
| -rw-r--r-- | PKGBUILD | 49 |
3 files changed, 13 insertions, 177 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-xanmod-rt pkgdesc = Linux Xanmod real-time version - pkgver = 5.10.16 + pkgver = 5.10.17 pkgrel = 1 url = http://www.xanmod.org/ arch = x86_64 @@ -14,16 +14,14 @@ pkgbase = linux-xanmod-rt options = !strip source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.10.tar.xz source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.10.tar.sign - source = https://github.com/xanmod/linux/releases/download/5.10.16-rt30-xanmod1/patch-5.10.16-rt30-xanmod1.xz + source = https://github.com/xanmod/linux/releases/download/5.10.17-rt32-xanmod1/patch-5.10.17-rt32-xanmod1.xz source = choose-gcc-optimization.sh - source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E sha256sums = dcdf99e43e98330d925016985bfbc7b83c66d367b714b2de0cbbfcbf83d8ca43 sha256sums = SKIP - sha256sums = a42403e47773873310b851e17be183713fcc85582719e336ca8f755591802ad3 + sha256sums = ba10641cff06d61da6b620a508d87ee424ebcec4a0fe08d293fb36ea23e505bc sha256sums = 03bb8b234a67b877a34a8212936ba69d8700c54c7877686cbd9742a536c87134 - sha256sums = 6c66dba73251440352f93ff32b72f5dd49536d0f17ef9347867660fd3a626991 pkgname = linux-xanmod-rt pkgdesc = The Linux kernel and modules with Xanmod patches diff --git a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch deleted file mode 100644 index d7dee55dde5e..000000000000 --- a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch +++ /dev/null @@ -1,133 +0,0 @@ -From a8d736bad70d4062a14c29bdcbed71bef7b575f5 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Mon, 16 Sep 2019 04:53:20 +0200 -Subject: [PATCH 01/15] ZEN: Add sysctl and CONFIG to disallow unprivileged - CLONE_NEWUSER - -Our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 15 +++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 4 files changed, 50 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index b4daad2bac23..362f82c5ec07 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1118,6 +1118,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index 755d8160e001..ed909f8050b2 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -106,6 +106,11 @@ - - #define CREATE_TRACE_POINTS - #include <trace/events/task.h> -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#else -+#define unprivileged_userns_clone 0 -+#endif - - /* - * Minimum number of threads to boot the kernel -@@ -1779,6 +1784,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2836,6 +2845,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 70665934d53e..9797869ed829 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -111,6 +111,10 @@ - static int sixty = 60; - #endif - -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#endif -+ - static int __maybe_unused neg_one = -1; - static int __maybe_unused two = 2; - static int __maybe_unused four = 4; -@@ -1881,6 +1885,15 @@ - .mode = 0644, - .proc_handler = proc_dointvec, - }, -+#endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, - #endif - #ifdef CONFIG_PROC_SYSCTL - { -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 8eadadc478f9..c36ecd19562c 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -21,6 +21,13 @@ - #include <linux/bsearch.h> - #include <linux/sort.h> - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -2.25.0 - @@ -8,12 +8,12 @@ ## ## The following variables can be customized at build time. Use env or export to change at your wish ## -## Example: env _microarchitecture=25 use_numa=n use_tracers=n use_pds=n makepkg -sc +## Example: env _microarchitecture=99 use_numa=n use_tracers=n use_pds=n makepkg -sc ## ## Look inside 'choose-gcc-optimization.sh' to choose your microarchitecture -## Valid numbers between: 0 to 42 +## Valid numbers between: 0 to 99 ## Default is: 0 => generic -## Good option if your package is for one machine: 42 => native +## Good option if your package is for one machine: 99 => native if [ -z ${_microarchitecture+x} ]; then _microarchitecture=0 fi @@ -34,21 +34,7 @@ if [ -z ${use_tracers+x} ]; then use_tracers=y fi -## Enable Cachy CPU scheduler by default https://github.com/xanmod/linux/blob/5.8/Documentation/scheduler/sched-Cachy.rst -## Set variable "use_cachy" to: n to disable (stock Xanmod) -## y to enable -if [ -z ${use_cachy+x} ]; then - use_cachy=n -fi - -## Enable CONFIG_USER_NS_UNPRIVILEGED flag https://aur.archlinux.org/cgit/aur.git/tree/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch?h=linux-ck -## Set variable "use_ns" to: n to disable (stock Xanmod) -## y to enable (stock Archlinux) -if [ -z ${use_ns+x} ]; then - use_ns=n -fi - -# Compile ONLY used modules to VASTLYreduce the number of modules built +# Compile ONLY used modules to VASTLY reduce the number of modules built # and the build time. # # To keep track of which modules are needed for your specific system/hardware, @@ -66,10 +52,10 @@ _makenconfig= ### IMPORTANT: Do no edit below this line unless you know what you're doing pkgbase=linux-xanmod-rt -pkgver=5.10.16 +pkgver=5.10.17 _major=5.10 _branch=5.x -_rt=30 +_rt=32 xanmod=1 pkgrel=${xanmod} pkgdesc='Linux Xanmod real-time version' @@ -84,8 +70,7 @@ _srcname="linux-${pkgver}-rt${_rt}-xanmod${xanmod}" source=("https://cdn.kernel.org/pub/linux/kernel/v${_branch}/linux-${_major}.tar."{xz,sign} "https://github.com/xanmod/linux/releases/download/${pkgver}-rt${_rt}-xanmod${xanmod}/patch-${pkgver}-rt${_rt}-xanmod${xanmod}.xz" - choose-gcc-optimization.sh - '0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch') + choose-gcc-optimization.sh) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linux Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman @@ -96,13 +81,11 @@ _commits="" for _patch in $_commits; do source+=("${_patch}.patch::https://git.archlinux.org/linux.git/patch/?id=${_patch}") done - sha256sums=('dcdf99e43e98330d925016985bfbc7b83c66d367b714b2de0cbbfcbf83d8ca43' 'SKIP' - 'a42403e47773873310b851e17be183713fcc85582719e336ca8f755591802ad3' - '03bb8b234a67b877a34a8212936ba69d8700c54c7877686cbd9742a536c87134' - '6c66dba73251440352f93ff32b72f5dd49536d0f17ef9347867660fd3a626991') + 'ba10641cff06d61da6b620a508d87ee424ebcec4a0fe08d293fb36ea23e505bc' + '03bb8b234a67b877a34a8212936ba69d8700c54c7877686cbd9742a536c87134') export KBUILD_BUILD_HOST=${KBUILD_BUILD_HOST:-archlinux} export KBUILD_BUILD_USER=${KBUILD_BUILD_USER:-makepkg} @@ -117,7 +100,7 @@ prepare() { msg2 "Setting version..." scripts/setlocalversion --save-scmversion echo "-$pkgrel" > localversion.10-pkgrel - echo "${pkgbase#linux}" > localversion.20-pkgname + echo "${pkgbase#linux-xanmod}" > localversion.20-pkgname # Archlinux patches local src @@ -148,18 +131,6 @@ prepare() { scripts/config --disable CONFIG_NUMA fi - if [ "$use_cachy" = "y" ]; then - msg2 "Enabling Cachy CPU scheduler by default (also NUMA and grouping for tasks, which are not compatible with Cachy)..." - scripts/config --disable CONFIG_NUMA - scripts/config --disable FAIR_GROUP_SCHED - scripts/config --enable CONFIG_CACHY_SCHED - fi - - if [ "$use_ns" = "n" ]; then - msg2 "Disabling CONFIG_USER_NS_UNPRIVILEGED" - scripts/config --disable CONFIG_USER_NS_UNPRIVILEGED - fi - # Let's user choose microarchitecture optimization in GCC sh ${srcdir}/choose-gcc-optimization.sh $_microarchitecture |