summarylogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.SRCINFO18
-rw-r--r--0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch57
-rw-r--r--PKGBUILD14
-rw-r--r--config4
4 files changed, 78 insertions, 15 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 92ebf4b2111..71aa8d3fcb8 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,5 +1,5 @@
pkgbase = linux-rc
- pkgver = 5.1.8rc1
+ pkgver = 5.1.9rc1
pkgrel = 1
url = https://www.kernel.org/
arch = x86_64
@@ -9,26 +9,28 @@ pkgbase = linux-rc
makedepends = bc
makedepends = libelf
options = !strip
- source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.1.7.tar.xz
- source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.1.7.tar.sign
- source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.8-rc1.xz
- source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.8-rc1.sign
+ source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.1.8.tar.xz
+ source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.1.8.tar.sign
+ source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.9-rc1.xz
+ source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.1.9-rc1.sign
source = config
source = 60-linux.hook
source = 90-linux.hook
source = linux.preset
source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+ source = 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
- sha256sums = 0246d04df2b799bd0adbde8f24fcb0daa18819fa5442e9bdd6992979b7adf3a6
+ sha256sums = d0164ffcc6e2ab3a96cc771d3fbdf2f8b49a2597ec4da9a06df590b0fe87a6ec
sha256sums = SKIP
- sha256sums = e15a44b8bf320be64b987e30abea8184dab57d25d2323399fdf14c842c6be27e
+ sha256sums = f2e99c56db408c7f695fa80507201036e4828f23e202800d4cac94d46e13517f
sha256sums = SKIP
- sha256sums = 02390efe7637927502bc834daf3f413ea5e2cb084bca125372e70dc9438e824c
+ sha256sums = 2e555646f47002c3e76e2a8405d33a64fcc8cf060ef5430881a5d144d8e3bc98
sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
sha256sums = c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636
sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65
sha256sums = 4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629
+ sha256sums = 1625f1a883c38e64e84ad769714a18991e824d9a271ba5862600df32a5761aec
pkgname = linux-rc
pkgdesc = The release candidate kernel and modules
diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
new file mode 100644
index 00000000000..6c25e34545b
--- /dev/null
+++ b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
@@ -0,0 +1,57 @@
+From d279aeda16b4cc525a0a2c4747946d87683e3e51 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Thu, 7 Dec 2017 13:50:48 +0100
+Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone
+
+This way our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig | 16 ++++++++++++++++
+ kernel/user_namespace.c | 4 ++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 4592bf7997c0..f3df02990aff 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1004,6 +1004,22 @@ config USER_NS
+
+ If unsure, say N.
+
++config USER_NS_UNPRIVILEGED
++ bool "Allow unprivileged users to create namespaces"
++ default y
++ depends on USER_NS
++ help
++ When disabled, unprivileged users will not be able to create
++ new namespaces. Allowing users to create their own namespaces
++ has been part of several recent local privilege escalation
++ exploits, so if you need user namespaces but are
++ paranoid^Wsecurity-conscious you want to disable this.
++
++ This setting can be overridden at runtime via the
++ kernel.unprivileged_userns_clone sysctl.
++
++ If unsure, say Y.
++
+ config PID_NS
+ bool "PID Namespaces"
+ default y
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 6b9dbc257e34..107b17f0d528 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -27,7 +27,11 @@
+ #include <linux/sort.h>
+
+ /* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
+ int unprivileged_userns_clone;
++#endif
+
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+--
+2.22.0
+
diff --git a/PKGBUILD b/PKGBUILD
index 9579a3f92a5..0567e8d1f8d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,8 +5,8 @@
pkgbase=linux-rc
pkgrel=1
_srcname=linux-5.1
-_stable=5.1.7
-_patchver=5.1.8
+_stable=5.1.8
+_patchver=5.1.9
_rcver=1
pkgver=${_patchver}rc${_rcver}
_rcpatch=patch-${_patchver}-rc${_rcver}
@@ -23,21 +23,23 @@ source=(
90-linux.hook # pacman hook for initramfs regeneration
linux.preset # standard config files for mkinitcpio ramdisk
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+ 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
# Arch-Linux-kernel-vx.xx.x-arch1.patch is not needed for rc1
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
)
-sha256sums=('0246d04df2b799bd0adbde8f24fcb0daa18819fa5442e9bdd6992979b7adf3a6'
+sha256sums=('d0164ffcc6e2ab3a96cc771d3fbdf2f8b49a2597ec4da9a06df590b0fe87a6ec'
'SKIP'
- 'e15a44b8bf320be64b987e30abea8184dab57d25d2323399fdf14c842c6be27e'
+ 'f2e99c56db408c7f695fa80507201036e4828f23e202800d4cac94d46e13517f'
'SKIP'
- '02390efe7637927502bc834daf3f413ea5e2cb084bca125372e70dc9438e824c'
+ '2e555646f47002c3e76e2a8405d33a64fcc8cf060ef5430881a5d144d8e3bc98'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
- '4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629')
+ '4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629'
+ '1625f1a883c38e64e84ad769714a18991e824d9a271ba5862600df32a5761aec')
_kernelname=${pkgbase#linux}
diff --git a/config b/config
index f9f36d1da9e..4fa789c11f3 100644
--- a/config
+++ b/config
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.1.0-arch1 Kernel Configuration
+# Linux/x86 5.1.8-arch1 Kernel Configuration
#
#
@@ -167,6 +167,7 @@ CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
+CONFIG_USER_NS_UNPRIVILEGED=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_CHECKPOINT_RESTORE=y
@@ -780,6 +781,7 @@ CONFIG_HAVE_RELIABLE_STACKTRACE=y
CONFIG_ISA_BUS_API=y
CONFIG_OLD_SIGSUSPEND3=y
CONFIG_COMPAT_OLD_SIGACTION=y
+CONFIG_64BIT_TIME=y
CONFIG_COMPAT_32BIT_TIME=y
CONFIG_HAVE_ARCH_VMAP_STACK=y
CONFIG_VMAP_STACK=y