summarylogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-x.SRCINFO4
-rw-r--r--Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch131
-rwxr-xr-xPKGBUILD40
3 files changed, 157 insertions, 18 deletions
diff --git a/.SRCINFO b/.SRCINFO
index d943b2f72d07..3ca8fa71732f 100755
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = linux-bcachefs-git
pkgdesc = Linux
- pkgver = v5.6.15.arch1.r903053.826b05af2cd6
+ pkgver = v5.6.16.arch1.r904675.5912f85bf2c7
pkgrel = 1
url = https://github.com/koverstreet/bcachefs
arch = x86_64
@@ -19,12 +19,14 @@ pkgbase = linux-bcachefs-git
source = git+https://github.com/graysky2/kernel_gcc_patch
source = config
source = sphinx-workaround.patch
+ source = Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch
validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
sha512sums = SKIP
sha512sums = SKIP
sha512sums = 7bce59dcbfce1850f31194974be7b300bce49a2da9205b213d1da57657f5acbfa38bba3b6daa8a25cfd814b13e87edd46664d88f80ef694a1cd219dfee37c3cd
sha512sums = 98e97155f86bbe837d43f27ec1018b5b6fdc6c372d6f7f2a0fe29da117d53979d9f9c262f886850d92002898682781029b80d4ee923633fc068f979e6c8254be
+ sha512sums = 7d26264f3e5a80604283be188a40583ee51884ecdd6635e415ff905f6b845b9d437bb9089914c2930b42eac581ecf3306a844800ddfb6198ac026b6d45846a78
pkgname = linux-bcachefs-git
pkgdesc = The Linux kernel and modules ~ featuring Kent Overstreet's bcachefs filesystem
diff --git a/Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch b/Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch
new file mode 100644
index 000000000000..635ee9edc8bc
--- /dev/null
+++ b/Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch
@@ -0,0 +1,131 @@
+From e4f57a0db2a7a992e4a36a10e1b2167a3a83b3f4 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Mon, 16 Sep 2019 04:53:20 +0200
+Subject: ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER
+
+Our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig | 16 ++++++++++++++++
+ kernel/fork.c | 15 +++++++++++++++
+ kernel/sysctl.c | 12 ++++++++++++
+ kernel/user_namespace.c | 7 +++++++
+ 4 files changed, 50 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 59908e87ece2..69899db94ae4 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1094,6 +1094,22 @@ config USER_NS
+
+ If unsure, say N.
+
++config USER_NS_UNPRIVILEGED
++ bool "Allow unprivileged users to create namespaces"
++ default y
++ depends on USER_NS
++ help
++ When disabled, unprivileged users will not be able to create
++ new namespaces. Allowing users to create their own namespaces
++ has been part of several recent local privilege escalation
++ exploits, so if you need user namespaces but are
++ paranoid^Wsecurity-conscious you want to disable this.
++
++ This setting can be overridden at runtime via the
++ kernel.unprivileged_userns_clone sysctl.
++
++ If unsure, say Y.
++
+ config PID_NS
+ bool "PID Namespaces"
+ default y
+diff --git a/kernel/fork.c b/kernel/fork.c
+index c9ba2b7bfef9..599349b67aca 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -106,6 +106,11 @@
+
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/task.h>
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#else
++#define unprivileged_userns_clone 0
++#endif
+
+ /*
+ * Minimum number of threads to boot the kernel
+@@ -1844,6 +1849,10 @@ static __latent_entropy struct task_struct *copy_process(
+ if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ return ERR_PTR(-EINVAL);
+
++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
++ if (!capable(CAP_SYS_ADMIN))
++ return ERR_PTR(-EPERM);
++
+ /*
+ * Thread groups must share signals as well, and detached threads
+ * can only be started up within the thread group.
+@@ -2934,6 +2943,12 @@ int ksys_unshare(unsigned long unshare_flags)
+ if (unshare_flags & CLONE_NEWNS)
+ unshare_flags |= CLONE_FS;
+
++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
++ err = -EPERM;
++ if (!capable(CAP_SYS_ADMIN))
++ goto bad_unshare_out;
++ }
++
+ err = check_unshare_flags(unshare_flags);
+ if (err)
+ goto bad_unshare_out;
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index ad5b88a53c5a..8f00d26b7b59 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -110,6 +110,9 @@ extern int core_uses_pid;
+ extern char core_pattern[];
+ extern unsigned int core_pipe_limit;
+ #endif
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#endif
+ extern int pid_max;
+ extern int pid_max_min, pid_max_max;
+ extern int percpu_pagelist_fraction;
+@@ -546,6 +549,15 @@ static struct ctl_table kern_table[] = {
+ .proc_handler = proc_dointvec,
+ },
+ #endif
++#ifdef CONFIG_USER_NS
++ {
++ .procname = "unprivileged_userns_clone",
++ .data = &unprivileged_userns_clone,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec,
++ },
++#endif
+ #ifdef CONFIG_PROC_SYSCTL
+ {
+ .procname = "tainted",
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 8eadadc478f9..c36ecd19562c 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -21,6 +21,13 @@
+ #include <linux/bsearch.h>
+ #include <linux/sort.h>
+
++/* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
++int unprivileged_userns_clone;
++#endif
++
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+
+--
+cgit v1.2.3-1-gf6bb5
+
diff --git a/PKGBUILD b/PKGBUILD
index f4fd5d54de76..3fff65c43baf 100755
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -59,10 +59,10 @@ _subarch=
_localmodcfg=
pkgbase=linux-bcachefs-git
-pkgver=v5.6.15.arch1.r903053.826b05af2cd6
+pkgver=v5.6.16.arch1.r904675.5912f85bf2c7
pkgrel=1
pkgdesc="Linux"
-_srcver_tag=v5.6.15.arch1
+_srcver_tag=v5.6.16.arch1
url="https://github.com/koverstreet/bcachefs"
arch=(x86_64)
license=(GPL2)
@@ -93,6 +93,7 @@ source=(
"git+$_repo_url_gcc_patch"
config # the main kernel config file
sphinx-workaround.patch
+ Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch
)
validpgpkeys=(
"ABAF11C65A2970B130ABE3C479BE3E4300411886" # Linus Torvalds
@@ -101,28 +102,33 @@ validpgpkeys=(
sha512sums=('SKIP'
'SKIP'
'7bce59dcbfce1850f31194974be7b300bce49a2da9205b213d1da57657f5acbfa38bba3b6daa8a25cfd814b13e87edd46664d88f80ef694a1cd219dfee37c3cd'
- '98e97155f86bbe837d43f27ec1018b5b6fdc6c372d6f7f2a0fe29da117d53979d9f9c262f886850d92002898682781029b80d4ee923633fc068f979e6c8254be')
+ '98e97155f86bbe837d43f27ec1018b5b6fdc6c372d6f7f2a0fe29da117d53979d9f9c262f886850d92002898682781029b80d4ee923633fc068f979e6c8254be'
+ '7d26264f3e5a80604283be188a40583ee51884ecdd6635e415ff905f6b845b9d437bb9089914c2930b42eac581ecf3306a844800ddfb6198ac026b6d45846a78')
export KBUILD_BUILD_HOST=archlinux
export KBUILD_BUILD_USER=$pkgbase
export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"
prepare() {
- cd $_reponame
+ cd "$srcdir/$_reponame"
msg2 "Setting version..."
scripts/setlocalversion --save-scmversion
echo "-$pkgrel" > localversion.10-pkgrel
echo "${pkgbase#linux}" > localversion.20-pkgname
- # msg2 "Pull tag from Linux stable upstream repository..."
- # git remote add upstream_stable "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" || true
- # git pull --no-edit --no-commit upstream_stable ${_srcver_tag//-arch*/}
- # git pull --no-edit --no-commit -s recursive -X ours upstream_stable ${_srcver_tag//-arch*/}
-
- msg2 "Pull stable tag from Arch vanilla kernel repository..."
- git remote add arch_stable "https://git.archlinux.org/linux.git" || true
- git pull --no-edit --no-commit arch_stable "${_srcver_tag%.*}-${_srcver_tag##*.}"
+ # msg2 "Pull stable tag from Arch vanilla kernel repository..."
+ # git remote add arch_stable "https://git.archlinux.org/linux.git" || true
+ # git pull --no-edit --no-commit arch_stable "${_srcver_tag%.*}-${_srcver_tag##*.}"
+
+ msg2 "Pull tag from Linux stable upstream repository..."
+ git remote add upstream_stable "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" || true
+ git pull --no-edit --no-commit --rebase upstream_stable ${_srcver_tag//.arch*/}
+# git pull --no-edit --no-commit -s recursive -X ours upstream_stable ${_srcver_tag//.arch*/}
+
+ # https://git.archlinux.org/linux.git/commit/?h=v5.6.15-arch1&id=e4f57a0db2a7a992e4a36a10e1b2167a3a83b3f4
+ msg2 "Patching with CLONE_NEWUSER patch ..."
+ patch -Np1 -i "$srcdir/Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch"
# https://github.com/graysky2/kernel_gcc_patch
msg2 "Patching with Graysky's additional gcc CPU optimizatons..."
@@ -133,7 +139,7 @@ prepare() {
msg2 "Setting config..."
cp ../config .config
-
+
if [ -n "$_subarch" ]; then
yes "$_subarch" | make oldconfig
else
@@ -165,12 +171,12 @@ prepare() {
}
pkgver() {
- cd $_reponame
+ cd "$srcdir/$_reponame"
printf "%s.r%s.%s" "${_srcver_tag//-/.}" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
}
build() {
- cd $_reponame
+ cd "$srcdir/$_reponame"
make all
make htmldocs
}
@@ -196,7 +202,7 @@ _package() {
wireguard-arch
)
- cd $_reponame
+ cd "$srcdir/$_reponame"
local kernver="$(<version)"
local modulesdir="$pkgdir/usr/lib/modules/$kernver"
@@ -218,7 +224,7 @@ _package() {
_package-headers() {
pkgdesc="Header files and scripts for building modules for $pkgdesc kernel $_pkgdesc_extra"
- cd $_reponame
+ cd "$srcdir/$_reponame"
local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
msg2 "Installing build files..."