diff options
-rwxr-xr-x | .SRCINFO | 4 | ||||
-rw-r--r-- | Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch | 131 | ||||
-rwxr-xr-x | PKGBUILD | 40 |
3 files changed, 157 insertions, 18 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-bcachefs-git pkgdesc = Linux - pkgver = v5.6.15.arch1.r903053.826b05af2cd6 + pkgver = v5.6.16.arch1.r904675.5912f85bf2c7 pkgrel = 1 url = https://github.com/koverstreet/bcachefs arch = x86_64 @@ -19,12 +19,14 @@ pkgbase = linux-bcachefs-git source = git+https://github.com/graysky2/kernel_gcc_patch source = config source = sphinx-workaround.patch + source = Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E sha512sums = SKIP sha512sums = SKIP sha512sums = 7bce59dcbfce1850f31194974be7b300bce49a2da9205b213d1da57657f5acbfa38bba3b6daa8a25cfd814b13e87edd46664d88f80ef694a1cd219dfee37c3cd sha512sums = 98e97155f86bbe837d43f27ec1018b5b6fdc6c372d6f7f2a0fe29da117d53979d9f9c262f886850d92002898682781029b80d4ee923633fc068f979e6c8254be + sha512sums = 7d26264f3e5a80604283be188a40583ee51884ecdd6635e415ff905f6b845b9d437bb9089914c2930b42eac581ecf3306a844800ddfb6198ac026b6d45846a78 pkgname = linux-bcachefs-git pkgdesc = The Linux kernel and modules ~ featuring Kent Overstreet's bcachefs filesystem diff --git a/Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch b/Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch new file mode 100644 index 000000000000..635ee9edc8bc --- /dev/null +++ b/Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch @@ -0,0 +1,131 @@ +From e4f57a0db2a7a992e4a36a10e1b2167a3a83b3f4 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER + +Our default behavior continues to match the vanilla kernel. +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 15 +++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 4 files changed, 50 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 59908e87ece2..69899db94ae4 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1094,6 +1094,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index c9ba2b7bfef9..599349b67aca 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -106,6 +106,11 @@ + + #define CREATE_TRACE_POINTS + #include <trace/events/task.h> ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#else ++#define unprivileged_userns_clone 0 ++#endif + + /* + * Minimum number of threads to boot the kernel +@@ -1844,6 +1849,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2934,6 +2943,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index ad5b88a53c5a..8f00d26b7b59 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -110,6 +110,9 @@ extern int core_uses_pid; + extern char core_pattern[]; + extern unsigned int core_pipe_limit; + #endif ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#endif + extern int pid_max; + extern int pid_max_min, pid_max_max; + extern int percpu_pagelist_fraction; +@@ -546,6 +549,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 8eadadc478f9..c36ecd19562c 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,13 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +cgit v1.2.3-1-gf6bb5 + @@ -59,10 +59,10 @@ _subarch= _localmodcfg= pkgbase=linux-bcachefs-git -pkgver=v5.6.15.arch1.r903053.826b05af2cd6 +pkgver=v5.6.16.arch1.r904675.5912f85bf2c7 pkgrel=1 pkgdesc="Linux" -_srcver_tag=v5.6.15.arch1 +_srcver_tag=v5.6.16.arch1 url="https://github.com/koverstreet/bcachefs" arch=(x86_64) license=(GPL2) @@ -93,6 +93,7 @@ source=( "git+$_repo_url_gcc_patch" config # the main kernel config file sphinx-workaround.patch + Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch ) validpgpkeys=( "ABAF11C65A2970B130ABE3C479BE3E4300411886" # Linus Torvalds @@ -101,28 +102,33 @@ validpgpkeys=( sha512sums=('SKIP' 'SKIP' '7bce59dcbfce1850f31194974be7b300bce49a2da9205b213d1da57657f5acbfa38bba3b6daa8a25cfd814b13e87edd46664d88f80ef694a1cd219dfee37c3cd' - '98e97155f86bbe837d43f27ec1018b5b6fdc6c372d6f7f2a0fe29da117d53979d9f9c262f886850d92002898682781029b80d4ee923633fc068f979e6c8254be') + '98e97155f86bbe837d43f27ec1018b5b6fdc6c372d6f7f2a0fe29da117d53979d9f9c262f886850d92002898682781029b80d4ee923633fc068f979e6c8254be' + '7d26264f3e5a80604283be188a40583ee51884ecdd6635e415ff905f6b845b9d437bb9089914c2930b42eac581ecf3306a844800ddfb6198ac026b6d45846a78') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})" prepare() { - cd $_reponame + cd "$srcdir/$_reponame" msg2 "Setting version..." scripts/setlocalversion --save-scmversion echo "-$pkgrel" > localversion.10-pkgrel echo "${pkgbase#linux}" > localversion.20-pkgname - # msg2 "Pull tag from Linux stable upstream repository..." - # git remote add upstream_stable "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" || true - # git pull --no-edit --no-commit upstream_stable ${_srcver_tag//-arch*/} - # git pull --no-edit --no-commit -s recursive -X ours upstream_stable ${_srcver_tag//-arch*/} - - msg2 "Pull stable tag from Arch vanilla kernel repository..." - git remote add arch_stable "https://git.archlinux.org/linux.git" || true - git pull --no-edit --no-commit arch_stable "${_srcver_tag%.*}-${_srcver_tag##*.}" + # msg2 "Pull stable tag from Arch vanilla kernel repository..." + # git remote add arch_stable "https://git.archlinux.org/linux.git" || true + # git pull --no-edit --no-commit arch_stable "${_srcver_tag%.*}-${_srcver_tag##*.}" + + msg2 "Pull tag from Linux stable upstream repository..." + git remote add upstream_stable "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" || true + git pull --no-edit --no-commit --rebase upstream_stable ${_srcver_tag//.arch*/} +# git pull --no-edit --no-commit -s recursive -X ours upstream_stable ${_srcver_tag//.arch*/} + + # https://git.archlinux.org/linux.git/commit/?h=v5.6.15-arch1&id=e4f57a0db2a7a992e4a36a10e1b2167a3a83b3f4 + msg2 "Patching with CLONE_NEWUSER patch ..." + patch -Np1 -i "$srcdir/Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch" # https://github.com/graysky2/kernel_gcc_patch msg2 "Patching with Graysky's additional gcc CPU optimizatons..." @@ -133,7 +139,7 @@ prepare() { msg2 "Setting config..." cp ../config .config - + if [ -n "$_subarch" ]; then yes "$_subarch" | make oldconfig else @@ -165,12 +171,12 @@ prepare() { } pkgver() { - cd $_reponame + cd "$srcdir/$_reponame" printf "%s.r%s.%s" "${_srcver_tag//-/.}" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" } build() { - cd $_reponame + cd "$srcdir/$_reponame" make all make htmldocs } @@ -196,7 +202,7 @@ _package() { wireguard-arch ) - cd $_reponame + cd "$srcdir/$_reponame" local kernver="$(<version)" local modulesdir="$pkgdir/usr/lib/modules/$kernver" @@ -218,7 +224,7 @@ _package() { _package-headers() { pkgdesc="Header files and scripts for building modules for $pkgdesc kernel $_pkgdesc_extra" - cd $_reponame + cd "$srcdir/$_reponame" local builddir="$pkgdir/usr/lib/modules/$(<version)/build" msg2 "Installing build files..." |