This repository has been archived by the owner on Aug 8, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
219 additions
and
48 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
102 changes: 102 additions & 0 deletions
102
linux-rt-bfq/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
From 5ec2dd3a095442ec1a21d86042a4994f2ba24e63 Mon Sep 17 00:00:00 2001 | ||
Message-Id: <5ec2dd3a095442ec1a21d86042a4994f2ba24e63.1512651251.git.jan.steffens@gmail.com> | ||
From: Serge Hallyn <serge.hallyn@canonical.com> | ||
Date: Fri, 31 May 2013 19:12:12 +0100 | ||
Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default | ||
|
||
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> | ||
[bwh: Remove unneeded binary sysctl bits] | ||
Signed-off-by: Daniel Micay <danielmicay@gmail.com> | ||
--- | ||
kernel/fork.c | 15 +++++++++++++++ | ||
kernel/sysctl.c | 12 ++++++++++++ | ||
kernel/user_namespace.c | 3 +++ | ||
3 files changed, 30 insertions(+) | ||
|
||
diff --git a/kernel/fork.c b/kernel/fork.c | ||
index 07cc743698d3668e..4011d68a8ff9305c 100644 | ||
--- a/kernel/fork.c | ||
+++ b/kernel/fork.c | ||
@@ -102,6 +102,11 @@ | ||
|
||
#define CREATE_TRACE_POINTS | ||
#include <trace/events/task.h> | ||
+#ifdef CONFIG_USER_NS | ||
+extern int unprivileged_userns_clone; | ||
+#else | ||
+#define unprivileged_userns_clone 0 | ||
+#endif | ||
|
||
/* | ||
* Minimum number of threads to boot the kernel | ||
@@ -1555,6 +1560,10 @@ static __latent_entropy struct task_struct *copy_process( | ||
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) | ||
return ERR_PTR(-EINVAL); | ||
|
||
+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) | ||
+ if (!capable(CAP_SYS_ADMIN)) | ||
+ return ERR_PTR(-EPERM); | ||
+ | ||
/* | ||
* Thread groups must share signals as well, and detached threads | ||
* can only be started up within the thread group. | ||
@@ -2348,6 +2357,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) | ||
if (unshare_flags & CLONE_NEWNS) | ||
unshare_flags |= CLONE_FS; | ||
|
||
+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { | ||
+ err = -EPERM; | ||
+ if (!capable(CAP_SYS_ADMIN)) | ||
+ goto bad_unshare_out; | ||
+ } | ||
+ | ||
err = check_unshare_flags(unshare_flags); | ||
if (err) | ||
goto bad_unshare_out; | ||
diff --git a/kernel/sysctl.c b/kernel/sysctl.c | ||
index b86520ed3fb60fbf..f7dab3760839f1a1 100644 | ||
--- a/kernel/sysctl.c | ||
+++ b/kernel/sysctl.c | ||
@@ -105,6 +105,9 @@ extern int core_uses_pid; | ||
extern char core_pattern[]; | ||
extern unsigned int core_pipe_limit; | ||
#endif | ||
+#ifdef CONFIG_USER_NS | ||
+extern int unprivileged_userns_clone; | ||
+#endif | ||
extern int pid_max; | ||
extern int pid_max_min, pid_max_max; | ||
extern int percpu_pagelist_fraction; | ||
@@ -513,6 +516,15 @@ static struct ctl_table kern_table[] = { | ||
.proc_handler = proc_dointvec, | ||
}, | ||
#endif | ||
+#ifdef CONFIG_USER_NS | ||
+ { | ||
+ .procname = "unprivileged_userns_clone", | ||
+ .data = &unprivileged_userns_clone, | ||
+ .maxlen = sizeof(int), | ||
+ .mode = 0644, | ||
+ .proc_handler = proc_dointvec, | ||
+ }, | ||
+#endif | ||
#ifdef CONFIG_PROC_SYSCTL | ||
{ | ||
.procname = "tainted", | ||
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c | ||
index c490f1e4313b998a..dd03bd39d7bf194d 100644 | ||
--- a/kernel/user_namespace.c | ||
+++ b/kernel/user_namespace.c | ||
@@ -24,6 +24,9 @@ | ||
#include <linux/projid.h> | ||
#include <linux/fs_struct.h> | ||
|
||
+/* sysctl */ | ||
+int unprivileged_userns_clone; | ||
+ | ||
static struct kmem_cache *user_ns_cachep __read_mostly; | ||
static DEFINE_MUTEX(userns_state_mutex); | ||
|
||
-- | ||
2.15.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.