diff options
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch (renamed from 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch) | 75 | ||||
-rw-r--r-- | PKGBUILD | 35 |
3 files changed, 87 insertions, 27 deletions
@@ -20,13 +20,13 @@ pkgbase = linux-xanmod-lts source = 90-linux.hook source = linux-xanmod-lts.preset source = choose-gcc-optimization.sh - source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch sha256sums = fb64eca226d3ba2a402e89824ab3c7bab70fc791a80facde483d19a50e0b2e1e sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 sha256sums = bae7b9253512ef5724629738bfd4460494a08566f8225b9d8ec544ea8cc2f3a5 - sha256sums = 36b1118c8dedadc4851150ddd4eb07b1c58ac5bbf3022cc2501a27c2b476da98 + sha256sums = 9c507bdb0062b5b54c6969f7da9ec18b259e06cd26dbe900cfe79a7ffb2713ee pkgname = linux-xanmod-lts pkgdesc = The Linux kernel and modules with Xanmod patches diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch index a989d666aa76..5d4014a2b457 100644 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch @@ -1,24 +1,49 @@ -From 4e54373158caa50df5402fdd3db1794c5394026b Mon Sep 17 00:00:00 2001 -Message-Id: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com> -From: Serge Hallyn <serge.hallyn@canonical.com> -Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH 1/4] add sysctl to disallow unprivileged CLONE_NEWUSER by - default +From a8d736bad70d4062a14c29bdcbed71bef7b575f5 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: [PATCH 01/15] ZEN: Add sysctl and CONFIG to disallow unprivileged + CLONE_NEWUSER -Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> -[bwh: Remove unneeded binary sysctl bits] -Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Our default behavior continues to match the vanilla kernel. --- + init/Kconfig | 16 ++++++++++++++++ kernel/fork.c | 15 +++++++++++++++ kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 3 +++ - 3 files changed, 30 insertions(+) + kernel/user_namespace.c | 7 +++++++ + 4 files changed, 50 insertions(+) +diff --git a/init/Kconfig b/init/Kconfig +index b4daad2bac23..362f82c5ec07 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1118,6 +1118,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y diff --git a/kernel/fork.c b/kernel/fork.c -index 500ce64517d9..35f5860958b4 100644 +index 755d8160e001..ed909f8050b2 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -102,6 +102,11 @@ +@@ -106,6 +106,11 @@ #define CREATE_TRACE_POINTS #include <trace/events/task.h> @@ -30,7 +55,7 @@ index 500ce64517d9..35f5860958b4 100644 /* * Minimum number of threads to boot the kernel -@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1779,6 +1784,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -41,7 +66,7 @@ index 500ce64517d9..35f5860958b4 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -2836,6 +2845,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -55,10 +80,10 @@ index 500ce64517d9..35f5860958b4 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 56aca862c4f5..e8402ba393c1 100644 +index 70665934d53e..9797869ed829 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c -@@ -105,6 +105,9 @@ extern int core_uses_pid; +@@ -110,6 +110,9 @@ extern int core_uses_pid; extern char core_pattern[]; extern unsigned int core_pipe_limit; #endif @@ -68,7 +93,7 @@ index 56aca862c4f5..e8402ba393c1 100644 extern int pid_max; extern int pid_max_min, pid_max_max; extern int percpu_pagelist_fraction; -@@ -513,6 +516,15 @@ static struct ctl_table kern_table[] = { +@@ -546,6 +549,15 @@ static struct ctl_table kern_table[] = { .proc_handler = proc_dointvec, }, #endif @@ -85,19 +110,23 @@ index 56aca862c4f5..e8402ba393c1 100644 { .procname = "tainted", diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index c490f1e4313b..dd03bd39d7bf 100644 +index 8eadadc478f9..c36ecd19562c 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c -@@ -24,6 +24,9 @@ - #include <linux/projid.h> - #include <linux/fs_struct.h> +@@ -21,6 +21,13 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> +/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else +int unprivileged_userns_clone; ++#endif + static struct kmem_cache *user_ns_cachep __read_mostly; static DEFINE_MUTEX(userns_state_mutex); -- -2.15.1 +2.25.0 @@ -49,6 +49,20 @@ if [ -z ${use_ns+x} ]; then fi ## +# Compile ONLY used modules to VASTLYreduce the number of modules built +# and the build time. +# +# To keep track of which modules are needed for your specific system/hardware, +# give module_db script a try: https://aur.archlinux.org/packages/modprobed-db +# This PKGBUILD read the database kept if it exists +# +# More at this wiki page ---> https://wiki.archlinux.org/index.php/Modprobed-db +if [ -z ${_localmodcfg} ]; then + _localmodcfg=n +fi + +### IMPORTANT: Do no edit below this line unless you know what you're doing + pkgbase=linux-xanmod-lts _srcname=linux pkgver=4.19.102 @@ -69,7 +83,7 @@ source=(https://github.com/xanmod/linux/archive/${pkgver}-xanmod${xanmod}.tar.gz 90-linux.hook # pacman hook for initramfs regeneration ${pkgbase}.preset # standard config files for mkinitcpio ramdisk choose-gcc-optimization.sh - 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch # Grabbed from linux-ck package + 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch # Grabbed from linux-ck package ) sha256sums=('fb64eca226d3ba2a402e89824ab3c7bab70fc791a80facde483d19a50e0b2e1e' @@ -77,7 +91,7 @@ sha256sums=('fb64eca226d3ba2a402e89824ab3c7bab70fc791a80facde483d19a50e0b2e1e' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' 'bae7b9253512ef5724629738bfd4460494a08566f8225b9d8ec544ea8cc2f3a5' - '36b1118c8dedadc4851150ddd4eb07b1c58ac5bbf3022cc2501a27c2b476da98') + '9c507bdb0062b5b54c6969f7da9ec18b259e06cd26dbe900cfe79a7ffb2713ee') _kernelname=${pkgbase#linux} @@ -128,6 +142,11 @@ prepare() { scripts/config --disable CONFIG_USER_NS_UNPRIVILEGED fi + if [ "$use_ns" = "n" ]; then + msg2 "Disabling CONFIG_USER_NS_UNPRIVILEGED" + scripts/config --disable CONFIG_USER_NS_UNPRIVILEGED + fi + # Let's user choose microarchitecture optimization in GCC ${srcdir}/choose-gcc-optimization.sh $_microarchitecture @@ -140,6 +159,18 @@ prepare() { make olddefconfig + ### Optionally load needed modules for the make localmodconfig + # See https://aur.archlinux.org/packages/modprobed-db + if [ "$_localmodcfg" = "y" ]; then + if [ -f $HOME/.config/modprobed.db ]; then + msg2 "Running Steven Rostedt's make localmodconfig now" + make LSMOD=$HOME/.config/modprobed.db localmodconfig + else + msg2 "No modprobed.db data found" + exit + fi + fi + make -s kernelrelease > ../version msg2 "Prepared %s version %s" "$pkgbase" "$(<../version)" } |