3 files changed, 66 insertions, 4 deletions

diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
new file mode 100644
index 0000000..dfa89cc
--- /dev/null
+++ b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
@@ -0,0 +1,57 @@
+From b30ec6648774140adcbfc9b0e813ecfd0785f79d Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Thu, 7 Dec 2017 13:50:48 +0100
+Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone
+
+This way our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig            | 16 ++++++++++++++++
+ kernel/user_namespace.c |  4 ++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 4592bf7997c0..f3df02990aff 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1004,6 +1004,22 @@ config USER_NS
+ 
+ 	  If unsure, say N.
+ 
++config USER_NS_UNPRIVILEGED
++	bool "Allow unprivileged users to create namespaces"
++	default y
++	depends on USER_NS
++	help
++	  When disabled, unprivileged users will not be able to create
++	  new namespaces. Allowing users to create their own namespaces
++	  has been part of several recent local privilege escalation
++	  exploits, so if you need user namespaces but are
++	  paranoid^Wsecurity-conscious you want to disable this.
++
++	  This setting can be overridden at runtime via the
++	  kernel.unprivileged_userns_clone sysctl.
++
++	  If unsure, say Y.
++
+ config PID_NS
+ 	bool "PID Namespaces"
+ 	default y
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 6b9dbc257e34..107b17f0d528 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -27,7 +27,11 @@
+ #include <linux/sort.h>
+ 
+ /* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
+ int unprivileged_userns_clone;
++#endif
+ 
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+-- 
+2.22.0
+
diff --git a/PKGBUILD b/PKGBUILD
index 2fc81e6..bd279fb 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -16,7 +16,7 @@
 
 pkgbase=linux-libre
 _majver=5.1
-_minver=9
+_minver=10
   if [ "$_minver" == "0" ]; then
     pkgver=${_majver}
   else
@@ -37,6 +37,7 @@ source=(
         https://linux-libre.fsfla.org/pub/linux-libre/releases/${_gnumajver}/linux-libre-${_gnumajver}.tar.xz{,.sign}
         https://linux-libre.fsfla.org/pub/linux-libre/releases/${_gnupkgver}/patch-${_gnumajver}-${_gnupkgver}.xz{,.sign}
         0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+        0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
         graysky_bdver2-hotfix.patch
         enable_additional_cpu_optimizations-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/$_gcc_more_v.tar.gz
         ath9k-regdom-hack.patch
@@ -48,14 +49,15 @@ source=(
        )
 sha512sums=('42510bffa69746e0f919fecef5a23da4adb2473239ee67730fa1eb2340256fb4618c6acab439c01ae781df768a2e1ac4b76ad80fe0e4a432eaceb7f01f275439'
             'SKIP'
-            'c42b7d8136fac195a256e77ef8cb020430c4e5f1de1eac32f49f0aee0a51477da161d18b7b180805dfa66c995f4aff5cc65a1eb67cd44b67fbbec6e32ff3f364'
+            'f5c9d6e6e17c4b3b57947af5929204e88d8d149ac76333e3c0ac9f7e4e10c42db34b7b2646d8b08ca2cbe2d905eafb52cd8f74b3793203f23d18ffeb64c16917'
             'SKIP'
             '81a57ab537da498800475d1b30d2d067e06325486e7f19aab713c4bab211a7caaf63b85e1c761646eb945c40b6a0b917eeb2be9e58c8a6d9f730e5b25bb982b8'
+            '32a95975fd933c2fe25a54b2fd7d6533d7adcc3c7a607159b4625020907af3d632c5b5f457b8c359669dbd19e77bf14348731a5385e10fc94471ad2a1b9a4ceb'
             '5ec8f3ef9c4467a99ae9c5350d0cc82fcf4ed78064ae732805d348053655b9ac8217ee2bfe301918634110cab14d85f58b8422e41e328f2ac77921ae8ec3a770'
             'a0f37a9b8dbd11f8ef4450b06afee0a6e5519cb5a5cd78f84896812b007ef645bcb9c733ae9817c24d1f4a4c2114258015abceb5a94c7e08d2bb00531a6f04c7'
             '905beb3f47cccb161e1ee74f8d5ba324b7c2f72e86246d941dfb18c85ace9d32df1966b52d2be2e3ff1ebea74af3b868422aec5a3eebc29858ee9e7207dea226'
             'd6bec327f4f2c69f2fc2780d90cd5d057bc5e32b39e54a13fccb1f5a880a148fa322e54c372e38d3f453d06fd9ab54d653265f355bd61e08a416058bd4224167'
-            '7d72f951c89706b2f2f4d86e32a098794d796b842046dafa86a83dc991187d7b2be880a0b024ee147c0ed13b53dc2b029766aceca94fd145c4847539e12997d2'
+            '91ade74cdadeb5504386c23bf1e4ddcf50da4e294f3919bc0146a2f717d022d9385ce53233c920683efa66421f5a6a4bb525b372f7153e185d1ce1410863238a'
             '7ad5be75ee422dda3b80edd2eb614d8a9181e2c8228cd68b3881e2fb95953bf2dea6cbe7900ce1013c9de89b2802574b7b24869fc5d7a95d3cc3112c4d27063a'
             '4a8b324aee4cccf3a512ad04ce1a272d14e5b05c8de90feb82075f55ea3845948d817e1b0c6f298f5816834ddd3e5ce0a0e2619866289f3c1ab8fd2f35f04f44'
             '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf')
@@ -77,6 +79,7 @@ prepare() {
   # Hotfixes
   msg2 "Applying hotfixes"
   patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+  patch -p1 -i ../0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
 
 
   # graysky gcc hotfixes
diff --git a/config.x86_64 b/config.x86_64
index 880f630..6c1d3ea 100644
--- a/config.x86_64
+++ b/config.x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.1.8 Kernel Configuration
+# Linux/x86 5.1.9 Kernel Configuration
 #
 
 #
@@ -167,6 +167,7 @@ CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 CONFIG_USER_NS=y
+CONFIG_USER_NS_UNPRIVILEGED=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 CONFIG_CHECKPOINT_RESTORE=y
@@ -6058,6 +6059,7 @@ CONFIG_CHASH=m
 # CONFIG_CHASH_STATS is not set
 # CONFIG_CHASH_SELFTEST is not set
 CONFIG_DRM_NOUVEAU=m
+CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=y
 CONFIG_NOUVEAU_DEBUG=5
 CONFIG_NOUVEAU_DEBUG_DEFAULT=3
 # CONFIG_NOUVEAU_DEBUG_MMU is not set