From b30ec6648774140adcbfc9b0e813ecfd0785f79d Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Thu, 7 Dec 2017 13:50:48 +0100
Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone

This way our default behavior continues to match the vanilla kernel.
---
 init/Kconfig            | 16 ++++++++++++++++
 kernel/user_namespace.c |  4 ++++
 2 files changed, 20 insertions(+)

diff --git a/init/Kconfig b/init/Kconfig
index 4592bf7997c0..f3df02990aff 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1004,6 +1004,22 @@ config USER_NS
 
 	  If unsure, say N.
 
+config USER_NS_UNPRIVILEGED
+	bool "Allow unprivileged users to create namespaces"
+	default y
+	depends on USER_NS
+	help
+	  When disabled, unprivileged users will not be able to create
+	  new namespaces. Allowing users to create their own namespaces
+	  has been part of several recent local privilege escalation
+	  exploits, so if you need user namespaces but are
+	  paranoid^Wsecurity-conscious you want to disable this.
+
+	  This setting can be overridden at runtime via the
+	  kernel.unprivileged_userns_clone sysctl.
+
+	  If unsure, say Y.
+
 config PID_NS
 	bool "PID Namespaces"
 	default y
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 6b9dbc257e34..107b17f0d528 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -27,7 +27,11 @@
 #include <linux/sort.h>
 
 /* sysctl */
+#ifdef CONFIG_USER_NS_UNPRIVILEGED
+int unprivileged_userns_clone = 1;
+#else
 int unprivileged_userns_clone;
+#endif
 
 static struct kmem_cache *user_ns_cachep __read_mostly;
 static DEFINE_MUTEX(userns_state_mutex);
-- 
2.22.0