Add an old unpublished patch
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
9062485c8b
commit
4d5e4f3c99
29
content/post/user-ns-for-grsecurity.md
Normal file
29
content/post/user-ns-for-grsecurity.md
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
title: Support for the user namespace in grsecurity kernel
|
||||||
|
date: !!timestamp '2018-10-31 00:00:00'
|
||||||
|
tags:
|
||||||
|
- kernel
|
||||||
|
---
|
||||||
|
|
||||||
|
Grsecurity has completely disabled, [on
|
||||||
|
purpose](https://forums.grsecurity.net/viewtopic.php?f=3&t=3929#p13904), the
|
||||||
|
user namespace code for the kernel.
|
||||||
|
|
||||||
|
As the goal of this namespace is to gain (virtualy) root privilegies inside a
|
||||||
|
namespace (in theory, it shouldn't give more priviledgies than the one you
|
||||||
|
initialy have outside of your namespace), there are some interesting use cases,
|
||||||
|
or, in my case I need to perform some demo in front of my students.
|
||||||
|
|
||||||
|
<!--more-->
|
||||||
|
|
||||||
|
Other distros, like Debian, choose to allow the use of user namespace through a
|
||||||
|
custom kernel config variable. In order to use them without both
|
||||||
|
`CAP_SYS_ADMIN`, `CAP_SETUID` and `CAP_SETGID`, you need to activate (as root):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
42sh# sysctl -w kernel.unprivileged_userns_clone=1
|
||||||
|
```
|
||||||
|
|
||||||
|
To reproduce the same behaviour with a grsecurity kernel, I made a patch, to
|
||||||
|
apply after the grsecurity patch:
|
||||||
|
[grsec-enable-user-ns.patch](grsec-enable-user-ns.patch).
|
100
static/post/user-ns-for-grsecurity/grsec-enable-user-ns.patch
Normal file
100
static/post/user-ns-for-grsecurity/grsec-enable-user-ns.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
--- /usr/src/linux-4.9.54-minipli/kernel/user_namespace.c 2017-10-14 12:27:08.718490316 +0200
|
||||||
|
+++ /usr/src/linux/kernel/user_namespace.c 2017-11-01 18:27:35.317843207 +0100
|
||||||
|
@@ -23,6 +23,9 @@
|
||||||
|
#include <linux/projid.h>
|
||||||
|
#include <linux/fs_struct.h>
|
||||||
|
|
||||||
|
+/* sysctl */
|
||||||
|
+int unprivileged_userns_clone;
|
||||||
|
+
|
||||||
|
static struct kmem_cache *user_ns_cachep __read_mostly;
|
||||||
|
static DEFINE_MUTEX(userns_state_mutex);
|
||||||
|
|
||||||
|
@@ -76,21 +79,6 @@
|
||||||
|
struct ucounts *ucounts;
|
||||||
|
int ret, i;
|
||||||
|
|
||||||
|
-#ifdef CONFIG_GRKERNSEC
|
||||||
|
- /*
|
||||||
|
- * This doesn't really inspire confidence:
|
||||||
|
- * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
|
||||||
|
- * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
|
||||||
|
- * Increases kernel attack surface in areas developers
|
||||||
|
- * previously cared little about ("low importance due
|
||||||
|
- * to requiring "root" capability")
|
||||||
|
- * To be removed when this code receives *proper* review
|
||||||
|
- */
|
||||||
|
- if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
|
||||||
|
- !capable(CAP_SETGID))
|
||||||
|
- return -EPERM;
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
ret = -ENOSPC;
|
||||||
|
if (parent_ns->level > 32)
|
||||||
|
goto fail;
|
||||||
|
--- /usr/src/linux-4.9.54-minipli/kernel/fork.c 2017-10-14 12:27:08.678490299 +0200
|
||||||
|
+++ /usr/src/linux/kernel/fork.c 2017-11-01 18:27:35.292843341 +0100
|
||||||
|
@@ -88,6 +88,11 @@
|
||||||
|
|
||||||
|
#define CREATE_TRACE_POINTS
|
||||||
|
#include <trace/events/task.h>
|
||||||
|
+#ifdef CONFIG_USER_NS
|
||||||
|
+extern int unprivileged_userns_clone;
|
||||||
|
+#else
|
||||||
|
+#define unprivileged_userns_clone 0
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Minimum number of threads to boot the kernel
|
||||||
|
@@ -1602,6 +1607,10 @@
|
||||||
|
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
|
||||||
|
return ERR_PTR(-EINVAL);
|
||||||
|
|
||||||
|
+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
|
||||||
|
+ if (!capable(CAP_SYS_ADMIN))
|
||||||
|
+ return ERR_PTR(-EPERM);
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Thread groups must share signals as well, and detached threads
|
||||||
|
* can only be started up within the thread group.
|
||||||
|
@@ -2360,6 +2369,12 @@
|
||||||
|
if (unshare_flags & CLONE_NEWNS)
|
||||||
|
unshare_flags |= CLONE_FS;
|
||||||
|
|
||||||
|
+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
|
||||||
|
+ err = -EPERM;
|
||||||
|
+ if (!capable(CAP_SYS_ADMIN))
|
||||||
|
+ goto bad_unshare_out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
err = check_unshare_flags(unshare_flags);
|
||||||
|
if (err)
|
||||||
|
goto bad_unshare_out;
|
||||||
|
--- /usr/src/linux-4.9.54-minipli/kernel/sysctl.c 2017-10-14 12:27:08.704490310 +0200
|
||||||
|
+++ /usr/src/linux/kernel/sysctl.c 2017-11-01 18:27:35.306843266 +0100
|
||||||
|
@@ -103,6 +103,9 @@
|
||||||
|
extern char core_pattern[];
|
||||||
|
extern unsigned int core_pipe_limit;
|
||||||
|
#endif
|
||||||
|
+#ifdef CONFIG_USER_NS
|
||||||
|
+extern int unprivileged_userns_clone;
|
||||||
|
+#endif
|
||||||
|
extern int pid_max;
|
||||||
|
extern int pid_max_min, pid_max_max;
|
||||||
|
extern int percpu_pagelist_fraction;
|
||||||
|
@@ -527,6 +530,15 @@
|
||||||
|
.mode = 0644,
|
||||||
|
.proc_handler = proc_dointvec,
|
||||||
|
},
|
||||||
|
+#endif
|
||||||
|
+#ifdef CONFIG_USER_NS
|
||||||
|
+ {
|
||||||
|
+ .procname = "unprivileged_userns_clone",
|
||||||
|
+ .data = &unprivileged_userns_clone,
|
||||||
|
+ .maxlen = sizeof(int),
|
||||||
|
+ .mode = 0644,
|
||||||
|
+ .proc_handler = proc_dointvec,
|
||||||
|
+ },
|
||||||
|
#endif
|
||||||
|
#ifdef CONFIG_PROC_SYSCTL
|
||||||
|
{
|
Loading…
x
Reference in New Issue
Block a user