From 646b358bc568efb3a85fdfa1dde47adcfbe9546b Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Mon, 18 Oct 2021 06:44:16 -0700 Subject: Updated to 5.14.13 --- ...ctl-and-CONFIG-to-disallow-unprivileged-C.patch | 153 +++++++++++++++++++++ PKGBUILD | 8 +- ...ctl-and-CONFIG-to-disallow-unprivileged-C.patch | 153 --------------------- 3 files changed, 157 insertions(+), 157 deletions(-) create mode 100644 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch delete mode 100644 ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch diff --git a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch new file mode 100644 index 0000000..48371cd --- /dev/null +++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -0,0 +1,153 @@ +From 048c6dda33c592ef025b372311eede5e05ef9cb7 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER + +Our default behavior continues to match the vanilla kernel. +--- + include/linux/user_namespace.h | 4 ++++ + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 14 ++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 5 files changed, 53 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/init/Kconfig b/init/Kconfig +index 0872a5a2e759..a40d8afeb1bb 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1173,6 +1173,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index 6d266388d380..635146a691c1 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -97,6 +97,10 @@ + #include + #include + ++#ifdef CONFIG_USER_NS ++#include ++#endif ++ + #include + #include + #include +@@ -1862,6 +1866,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2927,6 +2935,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..a94828fb31c2 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include + #endif ++#ifdef CONFIG_USER_NS ++#include ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e703d5d9cbe8..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,13 @@ + #include + #include + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +cgit v1.2.3-1-gf6bb5 + diff --git a/PKGBUILD b/PKGBUILD index 2fd822c..cf096c2 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -18,7 +18,7 @@ _custom=0 pkgbase=linux _supver=5 _majver=14 -_minver=12 +_minver=13 _gccpatchver='20210914' _gccpatchker='5.8-5.14' if [ "$_minver" == "0" ]; then @@ -41,7 +41,7 @@ _srcname=linux-${pkgver} source=( https://www.kernel.org/pub/linux/kernel/v${_supver}.x/${_srcname}.tar.{xz,sign} config # the main kernel config file - ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 0002-Bluetooth-btusb-Add-support-for-IMC-Networks-Mediate.patch 0003-Bluetooth-btusb-Add-support-for-Foxconn-Mediatek-Chi.patch 0004-ALSA-pcm-Check-mmap-capability-of-runtime-dma-buffer.patch @@ -56,7 +56,7 @@ validpgpkeys=( '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -b2sums=('854c3160a327a38ba0e8e35a2952029670429d829e903ba4fda659aa7cc7b88014b5dbdeefd2e0cc95e0311875fc7dae4c5fad825bff72102a894624845acbb8' +b2sums=('4bb15634eb047d31173be23dac211ce6f4be77f8929cf4f183290e58080aacd70d6512e0bf3229c6d3badf311411a356fbd27d30d1ea40eada364a76f413228b' 'SKIP' 'c14d7a8d37f6bb432684068dbc1b924a51c9edef5421b833700d8801d53d25ba51f9b14a81fa6c2f1c8e02a1d51cb09485dca517752c9fe4ba0459b6ef840edc' '2f9195675270d79d735a3aaec25887c2f80b76eae98be8fcc5fd59ab71d925c5ee20ec5e2a015deb68b61bc2cc7f56f546a22cb96ee038e2e24c2c9dd5c3f79f' @@ -86,7 +86,7 @@ prepare() { # Hotfixes echo "Applying hotfixes" - patch -p1 -i ../ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + patch -p1 -i ../0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch patch -p1 -i ../0002-Bluetooth-btusb-Add-support-for-IMC-Networks-Mediate.patch patch -p1 -i ../0003-Bluetooth-btusb-Add-support-for-Foxconn-Mediatek-Chi.patch patch -p1 -i ../0004-ALSA-pcm-Check-mmap-capability-of-runtime-dma-buffer.patch diff --git a/ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch deleted file mode 100644 index 48371cd..0000000 --- a/ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 048c6dda33c592ef025b372311eede5e05ef9cb7 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" -Date: Mon, 16 Sep 2019 04:53:20 +0200 -Subject: ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER - -Our default behavior continues to match the vanilla kernel. ---- - include/linux/user_namespace.h | 4 ++++ - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 14 ++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 5 files changed, 53 insertions(+) - -diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h -index 6ef1c7109fc4..2140091b0b8d 100644 ---- a/include/linux/user_namespace.h -+++ b/include/linux/user_namespace.h -@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); - - #ifdef CONFIG_USER_NS - -+extern int unprivileged_userns_clone; -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - if (ns) -@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); - struct ns_common *ns_get_owner(struct ns_common *ns); - #else - -+#define unprivileged_userns_clone 0 -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - return &init_user_ns; -diff --git a/init/Kconfig b/init/Kconfig -index 0872a5a2e759..a40d8afeb1bb 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1173,6 +1173,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index 6d266388d380..635146a691c1 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -97,6 +97,10 @@ - #include - #include - -+#ifdef CONFIG_USER_NS -+#include -+#endif -+ - #include - #include - #include -@@ -1862,6 +1866,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2927,6 +2935,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index afad085960b8..a94828fb31c2 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -103,6 +103,9 @@ - #ifdef CONFIG_LOCKUP_DETECTOR - #include - #endif -+#ifdef CONFIG_USER_NS -+#include -+#endif - - #if defined(CONFIG_SYSCTL) - -@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index e703d5d9cbe8..5758274feaee 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -21,6 +21,13 @@ - #include - #include - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -cgit v1.2.3-1-gf6bb5 - -- cgit v1.2.1