archrelease: copy trunk to extra-x86_64
[arch-packages.git] / linux-lts / repos / core-x86_64 / 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
blob5a1398b0ff1d4b0103466caa5bf80ad52ec7d2d1
1 From 31d126e465d38a247ff9aef5851c93cee2753a77 Mon Sep 17 00:00:00 2001
2 From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
3 Date: Mon, 16 Sep 2019 04:53:20 +0200
4 Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged
5 CLONE_NEWUSER
7 Our default behavior continues to match the vanilla kernel.
8 ---
9 include/linux/user_namespace.h | 4 ++++
10 init/Kconfig | 16 ++++++++++++++++
11 kernel/fork.c | 14 ++++++++++++++
12 kernel/sysctl.c | 12 ++++++++++++
13 kernel/user_namespace.c | 7 +++++++
14 5 files changed, 53 insertions(+)
16 diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
17 index 45f09bec02c485..87b20e2ee27445 100644
18 --- a/include/linux/user_namespace.h
19 +++ b/include/linux/user_namespace.h
20 @@ -148,6 +148,8 @@ static inline void set_userns_rlimit_max(struct user_namespace *ns,
22 #ifdef CONFIG_USER_NS
24 +extern int unprivileged_userns_clone;
26 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
28 if (ns)
29 @@ -181,6 +183,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns);
30 struct ns_common *ns_get_owner(struct ns_common *ns);
31 #else
33 +#define unprivileged_userns_clone 0
35 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
37 return &init_user_ns;
38 diff --git a/init/Kconfig b/init/Kconfig
39 index 0c214af99085da..d9ae969eae321c 100644
40 --- a/init/Kconfig
41 +++ b/init/Kconfig
42 @@ -1251,6 +1251,22 @@ config USER_NS
44 If unsure, say N.
46 +config USER_NS_UNPRIVILEGED
47 + bool "Allow unprivileged users to create namespaces"
48 + default y
49 + depends on USER_NS
50 + help
51 + When disabled, unprivileged users will not be able to create
52 + new namespaces. Allowing users to create their own namespaces
53 + has been part of several recent local privilege escalation
54 + exploits, so if you need user namespaces but are
55 + paranoid^Wsecurity-conscious you want to disable this.
57 + This setting can be overridden at runtime via the
58 + kernel.unprivileged_userns_clone sysctl.
60 + If unsure, say Y.
62 config PID_NS
63 bool "PID Namespaces"
64 default y
65 diff --git a/kernel/fork.c b/kernel/fork.c
66 index 844dfdc8c639c3..31d41db3f84d74 100644
67 --- a/kernel/fork.c
68 +++ b/kernel/fork.c
69 @@ -98,6 +98,10 @@
70 #include <linux/io_uring.h>
71 #include <linux/bpf.h>
73 +#ifdef CONFIG_USER_NS
74 +#include <linux/user_namespace.h>
75 +#endif
77 #include <asm/pgalloc.h>
78 #include <linux/uaccess.h>
79 #include <asm/mmu_context.h>
80 @@ -2011,6 +2015,10 @@ static __latent_entropy struct task_struct *copy_process(
81 if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
82 return ERR_PTR(-EINVAL);
84 + if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
85 + if (!capable(CAP_SYS_ADMIN))
86 + return ERR_PTR(-EPERM);
89 * Thread groups must share signals as well, and detached threads
90 * can only be started up within the thread group.
91 @@ -3171,6 +3179,12 @@ int ksys_unshare(unsigned long unshare_flags)
92 if (unshare_flags & CLONE_NEWNS)
93 unshare_flags |= CLONE_FS;
95 + if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
96 + err = -EPERM;
97 + if (!capable(CAP_SYS_ADMIN))
98 + goto bad_unshare_out;
99 + }
101 err = check_unshare_flags(unshare_flags);
102 if (err)
103 goto bad_unshare_out;
104 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
105 index c6d9dec11b749d..9a4514ad481b21 100644
106 --- a/kernel/sysctl.c
107 +++ b/kernel/sysctl.c
108 @@ -81,6 +81,9 @@
109 #ifdef CONFIG_RT_MUTEXES
110 #include <linux/rtmutex.h>
111 #endif
112 +#ifdef CONFIG_USER_NS
113 +#include <linux/user_namespace.h>
114 +#endif
116 /* shared constants to be used in various sysctls */
117 const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 };
118 @@ -1659,6 +1662,15 @@ static struct ctl_table kern_table[] = {
119 .mode = 0644,
120 .proc_handler = proc_dointvec,
122 +#ifdef CONFIG_USER_NS
124 + .procname = "unprivileged_userns_clone",
125 + .data = &unprivileged_userns_clone,
126 + .maxlen = sizeof(int),
127 + .mode = 0644,
128 + .proc_handler = proc_dointvec,
129 + },
130 +#endif
131 #ifdef CONFIG_PROC_SYSCTL
133 .procname = "tainted",
134 diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
135 index 54211dbd516c57..16ca0c1516298d 100644
136 --- a/kernel/user_namespace.c
137 +++ b/kernel/user_namespace.c
138 @@ -22,6 +22,13 @@
139 #include <linux/bsearch.h>
140 #include <linux/sort.h>
142 +/* sysctl */
143 +#ifdef CONFIG_USER_NS_UNPRIVILEGED
144 +int unprivileged_userns_clone = 1;
145 +#else
146 +int unprivileged_userns_clone;
147 +#endif
149 static struct kmem_cache *user_ns_cachep __read_mostly;
150 static DEFINE_MUTEX(userns_state_mutex);