101 lines
2.8 KiB
Diff
101 lines
2.8 KiB
Diff
--- /usr/src/linux-4.9.54-minipli/kernel/user_namespace.c 2017-10-14 12:27:08.718490316 +0200
|
|
+++ /usr/src/linux/kernel/user_namespace.c 2017-11-01 18:27:35.317843207 +0100
|
|
@@ -23,6 +23,9 @@
|
|
#include <linux/projid.h>
|
|
#include <linux/fs_struct.h>
|
|
|
|
+/* sysctl */
|
|
+int unprivileged_userns_clone;
|
|
+
|
|
static struct kmem_cache *user_ns_cachep __read_mostly;
|
|
static DEFINE_MUTEX(userns_state_mutex);
|
|
|
|
@@ -76,21 +79,6 @@
|
|
struct ucounts *ucounts;
|
|
int ret, i;
|
|
|
|
-#ifdef CONFIG_GRKERNSEC
|
|
- /*
|
|
- * This doesn't really inspire confidence:
|
|
- * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
|
|
- * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
|
|
- * Increases kernel attack surface in areas developers
|
|
- * previously cared little about ("low importance due
|
|
- * to requiring "root" capability")
|
|
- * To be removed when this code receives *proper* review
|
|
- */
|
|
- if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
|
|
- !capable(CAP_SETGID))
|
|
- return -EPERM;
|
|
-#endif
|
|
-
|
|
ret = -ENOSPC;
|
|
if (parent_ns->level > 32)
|
|
goto fail;
|
|
--- /usr/src/linux-4.9.54-minipli/kernel/fork.c 2017-10-14 12:27:08.678490299 +0200
|
|
+++ /usr/src/linux/kernel/fork.c 2017-11-01 18:27:35.292843341 +0100
|
|
@@ -88,6 +88,11 @@
|
|
|
|
#define CREATE_TRACE_POINTS
|
|
#include <trace/events/task.h>
|
|
+#ifdef CONFIG_USER_NS
|
|
+extern int unprivileged_userns_clone;
|
|
+#else
|
|
+#define unprivileged_userns_clone 0
|
|
+#endif
|
|
|
|
/*
|
|
* Minimum number of threads to boot the kernel
|
|
@@ -1602,6 +1607,10 @@
|
|
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
|
|
+ if (!capable(CAP_SYS_ADMIN))
|
|
+ return ERR_PTR(-EPERM);
|
|
+
|
|
/*
|
|
* Thread groups must share signals as well, and detached threads
|
|
* can only be started up within the thread group.
|
|
@@ -2360,6 +2369,12 @@
|
|
if (unshare_flags & CLONE_NEWNS)
|
|
unshare_flags |= CLONE_FS;
|
|
|
|
+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
|
|
+ err = -EPERM;
|
|
+ if (!capable(CAP_SYS_ADMIN))
|
|
+ goto bad_unshare_out;
|
|
+ }
|
|
+
|
|
err = check_unshare_flags(unshare_flags);
|
|
if (err)
|
|
goto bad_unshare_out;
|
|
--- /usr/src/linux-4.9.54-minipli/kernel/sysctl.c 2017-10-14 12:27:08.704490310 +0200
|
|
+++ /usr/src/linux/kernel/sysctl.c 2017-11-01 18:27:35.306843266 +0100
|
|
@@ -103,6 +103,9 @@
|
|
extern char core_pattern[];
|
|
extern unsigned int core_pipe_limit;
|
|
#endif
|
|
+#ifdef CONFIG_USER_NS
|
|
+extern int unprivileged_userns_clone;
|
|
+#endif
|
|
extern int pid_max;
|
|
extern int pid_max_min, pid_max_max;
|
|
extern int percpu_pagelist_fraction;
|
|
@@ -527,6 +530,15 @@
|
|
.mode = 0644,
|
|
.proc_handler = proc_dointvec,
|
|
},
|
|
+#endif
|
|
+#ifdef CONFIG_USER_NS
|
|
+ {
|
|
+ .procname = "unprivileged_userns_clone",
|
|
+ .data = &unprivileged_userns_clone,
|
|
+ .maxlen = sizeof(int),
|
|
+ .mode = 0644,
|
|
+ .proc_handler = proc_dointvec,
|
|
+ },
|
|
#endif
|
|
#ifdef CONFIG_PROC_SYSCTL
|
|
{
|