diff options
Diffstat (limited to 'sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch')
| -rw-r--r-- | sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..0cea2ed57cfe --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,66 @@ +From fbd6fc095f4430b68ef24e35fd196d3a20c7d382 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 31 Jul 2019 20:50:48 +0100 +Subject: [PATCH 100/112] add CONFIG for unprivileged_userns_clone + +When disabled, unprivileged users will not be able to create +new namespaces. Allowing users to create their own namespaces +has been part of several recent local privilege escalation +exploits, so if you need user namespaces but are +paranoid^Wsecurity-conscious you want to disable this. + +By default unprivileged user namespaces are disabled. + +Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> +Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net> +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index f15109e7b111..94918210ee72 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1174,6 +1174,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ depends on USER_NS ++ default n ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say N. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 29a30cff5e60..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,7 +22,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.30.0 + |