diff options
-rw-r--r-- | .SRCINFO | 18 | ||||
-rw-r--r-- | 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 | ||||
-rw-r--r-- | PKGBUILD | 10 | ||||
-rw-r--r-- | config | 6 |
4 files changed, 77 insertions, 14 deletions
@@ -1,5 +1,5 @@ pkgbase = linux-ck - pkgver = 5.1.8 + pkgver = 5.1.9 pkgrel = 1 url = https://wiki.archlinux.org/index.php/Linux-ck arch = x86_64 @@ -9,8 +9,8 @@ pkgbase = linux-ck makedepends = bc makedepends = libelf options = !strip - source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.1.8.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.1.8.tar.sign + source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.1.9.tar.xz + source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.1.9.tar.sign source = config source = 60-linux.hook source = 90-linux.hook @@ -18,17 +18,19 @@ pkgbase = linux-ck source = enable_additional_cpu_optimizations-20180509.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/20180509.tar.gz source = http://ck.kolivas.org/patches/5.0/5.1/5.1-ck1/patch-5.1-ck1.xz source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + source = 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E - sha256sums = d0164ffcc6e2ab3a96cc771d3fbdf2f8b49a2597ec4da9a06df590b0fe87a6ec + sha256sums = 58c9eca99c3dd2fff5b559302996c985c3f3f2aad0b99b2172a61c4df7122a79 sha256sums = SKIP - sha256sums = 7af14b92ef808cb57b4a09156e5cd3a6e32c31fc5eb942ec4b1402426a22cf0e + sha256sums = e3d57571bd886f1dbd79f0a85a1a193a1ace0f332abc60e59f14697dbebf993d sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 sha256sums = 226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d sha256sums = f8d18a34f6b17ec8e5f2a7354383ca627e0fd00b5578c1ee7d9808a34f33c724 sha256sums = 91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3 + sha256sums = 63e4378e69e2f23ed87af32a4951477a6d82d4ac0de2295db46502c8120da9d9 pkgname = linux-ck pkgdesc = The Linux-ck kernel and modules with the ck1 patchset featuring MuQSS CPU scheduler v0.192 @@ -38,12 +40,12 @@ pkgname = linux-ck depends = kmod depends = mkinitcpio optdepends = crda: to set the correct wireless channels of your country - provides = linux-ck=5.1.8 + provides = linux-ck=5.1.9 backup = etc/mkinitcpio.d/linux-ck.preset pkgname = linux-ck-headers pkgdesc = Header files and scripts for building modules for Linux-ck kernel depends = linux-ck - provides = linux-ck-headers=5.1.8 - provides = linux-headers=5.1.8 + provides = linux-ck-headers=5.1.9 + provides = linux-headers=5.1.9 diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..dfa89cceaeac --- /dev/null +++ b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,57 @@ +From b30ec6648774140adcbfc9b0e813ecfd0785f79d Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Thu, 7 Dec 2017 13:50:48 +0100 +Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone + +This way our default behavior continues to match the vanilla kernel. +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4592bf7997c0..f3df02990aff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1004,6 +1004,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 6b9dbc257e34..107b17f0d528 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -27,7 +27,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.22.0 + @@ -61,7 +61,7 @@ _localmodcfg= ### IMPORTANT: Do no edit below this line unless you know what you're doing pkgbase=linux-ck -_srcver=5.1.8-arch1 +_srcver=5.1.9-arch1 pkgver=${_srcver%-*} pkgrel=1 _ckpatchversion=1 @@ -81,20 +81,22 @@ source=( "enable_additional_cpu_optimizations-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/$_gcc_more_v.tar.gz" "http://ck.kolivas.org/patches/5.0/5.1/5.1-ck${_ckpatchversion}/$_ckpatch.xz" 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) -sha256sums=('d0164ffcc6e2ab3a96cc771d3fbdf2f8b49a2597ec4da9a06df590b0fe87a6ec' +sha256sums=('58c9eca99c3dd2fff5b559302996c985c3f3f2aad0b99b2172a61c4df7122a79' 'SKIP' - '7af14b92ef808cb57b4a09156e5cd3a6e32c31fc5eb942ec4b1402426a22cf0e' + 'e3d57571bd886f1dbd79f0a85a1a193a1ace0f332abc60e59f14697dbebf993d' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' 'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' '226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d' 'f8d18a34f6b17ec8e5f2a7354383ca627e0fd00b5578c1ee7d9808a34f33c724' - '91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3') + '91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3' + '63e4378e69e2f23ed87af32a4951477a6d82d4ac0de2295db46502c8120da9d9') _kernelname=${pkgbase#linux} : ${_kernelname:=-ARCH} @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.1.2 Kernel Configuration +# Linux/x86 5.1.9 Kernel Configuration # # @@ -163,6 +163,7 @@ CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_USER_NS=y +CONFIG_USER_NS_UNPRIVILEGED=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_CHECKPOINT_RESTORE=y @@ -782,6 +783,7 @@ CONFIG_HAVE_RELIABLE_STACKTRACE=y CONFIG_ISA_BUS_API=y CONFIG_OLD_SIGSUSPEND3=y CONFIG_COMPAT_OLD_SIGACTION=y +CONFIG_64BIT_TIME=y CONFIG_COMPAT_32BIT_TIME=y CONFIG_HAVE_ARCH_VMAP_STACK=y CONFIG_VMAP_STACK=y @@ -5995,7 +5997,6 @@ CONFIG_DRM_DP_CEC=y CONFIG_DRM_TTM=m CONFIG_DRM_GEM_CMA_HELPER=y CONFIG_DRM_KMS_CMA_HELPER=y -CONFIG_DRM_VM=y CONFIG_DRM_SCHED=m # @@ -6039,6 +6040,7 @@ CONFIG_CHASH=m # CONFIG_CHASH_STATS is not set # CONFIG_CHASH_SELFTEST is not set CONFIG_DRM_NOUVEAU=m +# CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT is not set CONFIG_NOUVEAU_DEBUG=5 CONFIG_NOUVEAU_DEBUG_DEFAULT=3 # CONFIG_NOUVEAU_DEBUG_MMU is not set |