linux-lts/trunk/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
   3 Date: Mon, 16 Sep 2019 04:53:20 +0200
   4 Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged
   5  CLONE_NEWUSER
   6
   7 Our default behavior continues to match the vanilla kernel.
   8 ---
   9  include/linux/user_namespace.h |  4 ++++
  10  init/Kconfig                   | 16 ++++++++++++++++
  11  kernel/fork.c                  | 14 ++++++++++++++
  12  kernel/sysctl.c                | 12 ++++++++++++
  13  kernel/user_namespace.c        |  7 +++++++
  14  5 files changed, 53 insertions(+)
  15
  16 diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
  17 index 33a4240e6a6f..82213f9c4c17 100644
  18 --- a/include/linux/user_namespace.h
  19 +++ b/include/linux/user_namespace.h
  20 @@ -139,6 +139,8 @@ static inline void set_rlimit_ucount_max(struct user_namespace *ns,
  21
  22  #ifdef CONFIG_USER_NS
  23
  24 +extern int unprivileged_userns_clone;
  25 +
  26  static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
  27  {
  28         if (ns)
  29 @@ -172,6 +174,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns);
  30  struct ns_common *ns_get_owner(struct ns_common *ns);
  31  #else
  32
  33 +#define unprivileged_userns_clone 0
  34 +
  35  static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
  36  {
  37         return &init_user_ns;
  38 diff --git a/init/Kconfig b/init/Kconfig
  39 index d19ed66aba3b..a67689ca1929 100644
  40 --- a/init/Kconfig
  41 +++ b/init/Kconfig
  42 @@ -1231,6 +1231,22 @@ config USER_NS
  43
  44           If unsure, say N.
  45
  46 +config USER_NS_UNPRIVILEGED
  47 +       bool "Allow unprivileged users to create namespaces"
  48 +       default y
  49 +       depends on USER_NS
  50 +       help
  51 +         When disabled, unprivileged users will not be able to create
  52 +         new namespaces. Allowing users to create their own namespaces
  53 +         has been part of several recent local privilege escalation
  54 +         exploits, so if you need user namespaces but are
  55 +         paranoid^Wsecurity-conscious you want to disable this.
  56 +
  57 +         This setting can be overridden at runtime via the
  58 +         kernel.unprivileged_userns_clone sysctl.
  59 +
  60 +         If unsure, say Y.
  61 +
  62  config PID_NS
  63         bool "PID Namespaces"
  64         default y
  65 diff --git a/kernel/fork.c b/kernel/fork.c
  66 index 89475c994ca9..a00b3f26f241 100644
  67 --- a/kernel/fork.c
  68 +++ b/kernel/fork.c
  69 @@ -98,6 +98,10 @@
  70  #include <linux/io_uring.h>
  71  #include <linux/bpf.h>
  72
  73 +#ifdef CONFIG_USER_NS
  74 +#include <linux/user_namespace.h>
  75 +#endif
  76 +
  77  #include <asm/pgalloc.h>
  78  #include <linux/uaccess.h>
  79  #include <asm/mmu_context.h>
  80 @@ -1950,6 +1954,10 @@ static __latent_entropy struct task_struct *copy_process(
  81         if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
  82                 return ERR_PTR(-EINVAL);
  83
  84 +       if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
  85 +               if (!capable(CAP_SYS_ADMIN))
  86 +                       return ERR_PTR(-EPERM);
  87 +
  88         /*
  89          * Thread groups must share signals as well, and detached threads
  90          * can only be started up within the thread group.
  91 @@ -3066,6 +3074,12 @@ int ksys_unshare(unsigned long unshare_flags)
  92         if (unshare_flags & CLONE_NEWNS)
  93                 unshare_flags |= CLONE_FS;
  94
  95 +       if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
  96 +               err = -EPERM;
  97 +               if (!capable(CAP_SYS_ADMIN))
  98 +                       goto bad_unshare_out;
  99 +       }
 100 +
 101         err = check_unshare_flags(unshare_flags);
 102         if (err)
 103                 goto bad_unshare_out;
 104 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
 105 index 23c08bf3db58..63ab60778e5d 100644
 106 --- a/kernel/sysctl.c
 107 +++ b/kernel/sysctl.c
 108 @@ -105,6 +105,9 @@
 109  #ifdef CONFIG_LOCKUP_DETECTOR
 110  #include <linux/nmi.h>
 111  #endif
 112 +#ifdef CONFIG_USER_NS
 113 +#include <linux/user_namespace.h>
 114 +#endif
 115
 116  #if defined(CONFIG_SYSCTL)
 117
 118 @@ -1953,6 +1956,15 @@ static struct ctl_table kern_table[] = {
 119                 .proc_handler   = proc_dointvec,
 120         },
 121  #endif
 122 +#ifdef CONFIG_USER_NS
 123 +       {
 124 +               .procname       = "unprivileged_userns_clone",
 125 +               .data           = &unprivileged_userns_clone,
 126 +               .maxlen         = sizeof(int),
 127 +               .mode           = 0644,
 128 +               .proc_handler   = proc_dointvec,
 129 +       },
 130 +#endif
 131  #ifdef CONFIG_PROC_SYSCTL
 132         {
 133                 .procname       = "tainted",
 134 diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
 135 index 5481ba44a8d6..423ab2563ad7 100644
 136 --- a/kernel/user_namespace.c
 137 +++ b/kernel/user_namespace.c
 138 @@ -21,6 +21,13 @@
 139  #include <linux/bsearch.h>
 140  #include <linux/sort.h>
 141
 142 +/* sysctl */
 143 +#ifdef CONFIG_USER_NS_UNPRIVILEGED
 144 +int unprivileged_userns_clone = 1;
 145 +#else
 146 +int unprivileged_userns_clone;
 147 +#endif
 148 +
 149  static struct kmem_cache *user_ns_cachep __read_mostly;
 150  static DEFINE_MUTEX(userns_state_mutex);
 151