summaryrefslogtreecommitdiff
path: root/sys-kernel/linux-sources-redcore-lts/files/5.15-0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2022-04-21 02:13:00 +0100
committerV3n3RiX <venerix@koprulu.sector>2022-04-21 02:13:00 +0100
commitbffbad1c6c7cfd8e59b5609c1f298c530d6f3dc0 (patch)
treef68c98fde96c57e94b309b8b11294df16429b574 /sys-kernel/linux-sources-redcore-lts/files/5.15-0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
parent076ddede5efb81dd30aee12b999a7cccc4776983 (diff)
sys-kernel/linux-{image,sources}-redcore-lts : version bump
Diffstat (limited to 'sys-kernel/linux-sources-redcore-lts/files/5.15-0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch')
-rw-r--r--sys-kernel/linux-sources-redcore-lts/files/5.15-0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch151
1 files changed, 151 insertions, 0 deletions
diff --git a/sys-kernel/linux-sources-redcore-lts/files/5.15-0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/sys-kernel/linux-sources-redcore-lts/files/5.15-0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
new file mode 100644
index 00000000..ddfbd03b
--- /dev/null
+++ b/sys-kernel/linux-sources-redcore-lts/files/5.15-0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
@@ -0,0 +1,151 @@
+From 0948f6ce6d898c598f8fe88240954e578fdc8387 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Mon, 16 Sep 2019 04:53:20 +0200
+Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged
+ CLONE_NEWUSER
+
+Our default behavior continues to match the vanilla kernel.
+---
+ include/linux/user_namespace.h | 4 ++++
+ init/Kconfig | 16 ++++++++++++++++
+ kernel/fork.c | 14 ++++++++++++++
+ kernel/sysctl.c | 12 ++++++++++++
+ kernel/user_namespace.c | 7 +++++++
+ 5 files changed, 53 insertions(+)
+
+diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
+index 33a4240e6a6f1..82213f9c4c17f 100644
+--- a/include/linux/user_namespace.h
++++ b/include/linux/user_namespace.h
+@@ -139,6 +139,8 @@ static inline void set_rlimit_ucount_max(struct user_namespace *ns,
+
+ #ifdef CONFIG_USER_NS
+
++extern int unprivileged_userns_clone;
++
+ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
+ {
+ if (ns)
+@@ -172,6 +174,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns);
+ struct ns_common *ns_get_owner(struct ns_common *ns);
+ #else
+
++#define unprivileged_userns_clone 0
++
+ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
+ {
+ return &init_user_ns;
+diff --git a/init/Kconfig b/init/Kconfig
+index 11f8a845f259d..02b7a0e455a5d 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1226,6 +1226,22 @@ config USER_NS
+
+ If unsure, say N.
+
++config USER_NS_UNPRIVILEGED
++ bool "Allow unprivileged users to create namespaces"
++ default y
++ depends on USER_NS
++ help
++ When disabled, unprivileged users will not be able to create
++ new namespaces. Allowing users to create their own namespaces
++ has been part of several recent local privilege escalation
++ exploits, so if you need user namespaces but are
++ paranoid^Wsecurity-conscious you want to disable this.
++
++ This setting can be overridden at runtime via the
++ kernel.unprivileged_userns_clone sysctl.
++
++ If unsure, say Y.
++
+ config PID_NS
+ bool "PID Namespaces"
+ default y
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 10885c649ca42..e0fe98e1afbdb 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -98,6 +98,10 @@
+ #include <linux/io_uring.h>
+ #include <linux/bpf.h>
+
++#ifdef CONFIG_USER_NS
++#include <linux/user_namespace.h>
++#endif
++
+ #include <asm/pgalloc.h>
+ #include <linux/uaccess.h>
+ #include <asm/mmu_context.h>
+@@ -1950,6 +1954,10 @@ static __latent_entropy struct task_struct *copy_process(
+ if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ return ERR_PTR(-EINVAL);
+
++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
++ if (!capable(CAP_SYS_ADMIN))
++ return ERR_PTR(-EPERM);
++
+ /*
+ * Thread groups must share signals as well, and detached threads
+ * can only be started up within the thread group.
+@@ -3056,6 +3064,12 @@ int ksys_unshare(unsigned long unshare_flags)
+ if (unshare_flags & CLONE_NEWNS)
+ unshare_flags |= CLONE_FS;
+
++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
++ err = -EPERM;
++ if (!capable(CAP_SYS_ADMIN))
++ goto bad_unshare_out;
++ }
++
+ err = check_unshare_flags(unshare_flags);
+ if (err)
+ goto bad_unshare_out;
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 083be6af29d70..42aa3c7835b96 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -105,6 +105,9 @@
+ #ifdef CONFIG_LOCKUP_DETECTOR
+ #include <linux/nmi.h>
+ #endif
++#ifdef CONFIG_USER_NS
++#include <linux/user_namespace.h>
++#endif
+
+ #if defined(CONFIG_SYSCTL)
+
+@@ -1949,6 +1952,15 @@ static struct ctl_table kern_table[] = {
+ .proc_handler = proc_dointvec,
+ },
+ #endif
++#ifdef CONFIG_USER_NS
++ {
++ .procname = "unprivileged_userns_clone",
++ .data = &unprivileged_userns_clone,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec,
++ },
++#endif
+ #ifdef CONFIG_PROC_SYSCTL
+ {
+ .procname = "tainted",
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 6b2e3ca7ee993..0253002184f1d 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -21,6 +21,13 @@
+ #include <linux/bsearch.h>
+ #include <linux/sort.h>
+
++/* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
++int unprivileged_userns_clone;
++#endif
++
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+