diff --git a/PKGBUILD b/PKGBUILD index ffe7f42..0bc770c 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -2,7 +2,7 @@ # copied from Jan Alexander Steffens (heftig) pkgbase=linux-tom -pkgver=6.12.8.arch1 +pkgver=6.12.9.arch1 pkgrel=1 pkgdesc='Linux' url='https://github.com/archlinux/linux' diff --git a/config b/config index 3e51f41..2018b19 100644 --- a/config +++ b/config @@ -1,15 +1,15 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 6.12.8-arch1 Kernel Configuration +# Linux/x86 6.12.9-arch1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 14.2.1 20240910" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=140201 CONFIG_CLANG_VERSION=0 CONFIG_AS_IS_GNU=y -CONFIG_AS_VERSION=24300 +CONFIG_AS_VERSION=24301 CONFIG_LD_IS_BFD=y -CONFIG_LD_VERSION=24300 +CONFIG_LD_VERSION=24301 CONFIG_LLD_VERSION=0 CONFIG_RUSTC_VERSION=0 CONFIG_RUSTC_LLVM_VERSION=0 diff --git a/documentation/linux_configuration.pdf b/documentation/linux_configuration.pdf index ecfb99a..d0ed5c1 100644 --- a/documentation/linux_configuration.pdf +++ b/documentation/linux_configuration.pdf @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2c0b58458a245f3073953ed9650706e2134e851108f520d12813d84532f3e164 -size 1703339 +oid sha256:fb5e7e402ed03b81ec883292d54ea5e427016533c774714e3d2650dd5fee0423 +size 1732585 diff --git a/documentation/linux_configuration.tex b/documentation/linux_configuration.tex index a8f461e..16b804d 100644 --- a/documentation/linux_configuration.tex +++ b/documentation/linux_configuration.tex @@ -1,6 +1,6 @@ % -% Thomas Kuschel 2023 -\newcommand{\version}{V6.7} +% Thomas Kuschel 2023-2025 +\newcommand{\version}{V6.12} % preconditions: % install on ARCH linux: % pacman -S texlive-plaingeneric @@ -32,27 +32,27 @@ % Math mode with value and units framework, e.g. for 15.11.18.1 \usepackage{siunitx} -\newcommand{\siunitxversionfrom}{2023-07-31}% range-independent-prefix support added since that day -\IfPackageAtLeastTF{siunitx}{\siunitxversionfrom} -{% new version +%\newcommand{\siunitxversionfrom}{2023-07-31}% range-independent-prefix support added since that day +%\IfPackageAtLeastTF{siunitx}{\siunitxversionfrom} +%{% new version \sisetup{ locale=DE, exponent-to-prefix=true, range-independent-prefix=true, per-mode=symbol } -\newcommand{\siunitxold}{} -} -{% old version -\sisetup{ - locale=DE, - exponent-to-prefix=true, - per-mode=symbol -} -\newcommand{\siunitxold}{% -\\Please update your \LaTeX module \textit{siunitx}: The module is older then \siunitxversionfrom -}% -}% +%\newcommand{\siunitxold}{} +%} +%{% old version +%\sisetup{ +% locale=DE, +% exponent-to-prefix=true, +% per-mode=symbol +%} +%\newcommand{\siunitxold}{% +%\\Please update your \LaTeX module \textit{siunitx}: The module is older then \siunitxversionfrom +%}% +%}% \newcommand{\english}[1]{\textit{\scriptsize\selectlanguage{english}#1}\\[0.2em]} @@ -130,20 +130,23 @@ \section*{Linux Configuration \version} \subsection{Einführung} Dieses Dokument dient zur Beschreibung von diversen Einstellungen -bei der Konfiguration mittels \texttt{ make menuconfig } unter Linux.\\ +bei der Konfiguration z.\,B. mittels \texttt{ make menuconfig } unter Linux.\\ Es wird nicht näher darauf eingegangen, wie der Kernel kompiliert wird oder welche Voreinstellungen, Programme etc. zum Kompilieren benötigt werden.\\ +Abweichungen zur bestehenden Arch-Linux-Konfiguration werden immer \colorbox{yellow!80}{gelb} markiert.\\ +Original Texte, sofern geliefert (englischer Sprache) werden \textit{kursiv} und +etwas kleiner geschrieben. Zu Beginn der jeweiligen Konfigurationszeile wird der Standardwert (Default) angezeigt. Mein Vorschlag folgt danach.\\ -Z.\,B. bei CONFIG\_WERROR~[=n]~\textbf{[Y]}\\ +Z.\,B. bei CONFIG\_WERROR~\colorbox{yellow!80}{[=n]~\textbf{[Y]}}\\ Hier ist der Standarwert ein Nein [n], meine persönliche Einstellung ein Ja [Y].\\[0.5em] -\textit{\copyright KW4NZ, Thomas Kuschel\\Wenn Sie Tippfehler finden oder Korrekturen wünschen, +\textit{\copyright KW4NZ, Thomas Kuschel\\Wenn Sie Korrekturen wünschen, dann schicken Sie dies mit Erläuterungen und dem Hinweis auf die obenstehende Version \version ~an: \href{mailto:oe1tkt@gmail.com}{oe1tkt@gmail.com}\\ \pdftexbanner} -\siunitxold +%\siunitxold \subsection{Konfiguration für ein verteiltes Kompilieren auf mehreren Rechnern} Sie sollten schon einiges an Erfahrung mit dem Kompilieren unter Linux mitbringen. diff --git a/documentation/linux_configuration_01_general_setup.tex b/documentation/linux_configuration_01_general_setup.tex index 0b3b53a..621988c 100644 --- a/documentation/linux_configuration_01_general_setup.tex +++ b/documentation/linux_configuration_01_general_setup.tex @@ -330,7 +330,6 @@ Ermöglicht die Instrumentierung der Sicherheitshaken mit BPF-Programmen zur Imp MAC- und Prüfungsrichtlinien. Wenn Sie unsicher sind, wie Sie diese Frage beantworten sollten, antworten Sie mit N. \subsection{Preemption Model (Preemptible Kernel (Low-Latency Desktop)) \texorpdfstring{$\rightarrow$}{->}} - Eingestellt auf : Low-Latency, d.\,h. nur kleine Verzögerungen beim Modell des Multitaskings. Es gibt drei Einstellungen: \subsubsection{No Forced Preemption (Server)} @@ -342,14 +341,14 @@ keine Garantie dafür und es kann zu zufälligen, längeren Verzögerungszeiten Für einen Serverbetrieb wird diese Einstellung empfohlen, damit der maximale Durchsatz an Rechenleistung entsteht. \subsubsection{Voluntary Kernel Preemption (Desktop)} -CONFIG\_PREEMPT\_VOLUNTARY [=n] \textbf{[N]}\\ +CONFIG\_PREEMPT\_VOLUNTARY \colorbox{yellow!80}{[=n] \textbf{[Y]}}\\ Diese Einstellung reduziert die Latenz des Kernels durch zusätzliche \glqq explizite Unterbrechungspunkte\glqq{} im Kernel. Diese neuen Unterbrechungspunkte wurden ausgewählt, um die maximale Latenz beim neuerlichen Zuordnen des Schedulers zu reduzieren und dadurch schnelle Reaktionszeiten der Applikationen zu gewährleisten. -- Auf Kosten eines geringeren Durchsatzes wird dies erreicht. \subsubsection{Preemptible Kernel (Low-Latency Desktop)} -CONFIG\_PREEMPT [=y] \textbf{[Y]}\\ +CONFIG\_PREEMPT \colorbox{yellow!80}{[=y] \textbf{[N]}}\\ Bei dieser Einstellung wird die Latenz des Kernels weiter erniedrigt indem der gesamte Code des Kernels (keine kritischen, geschützten Bereiche) unterbrechbar gemacht wird. Dadurch wird ein reibungsloses Arbeiten mit Applikationen aus Nutzersicht erreicht, sogar unter Volllast. @@ -396,7 +395,50 @@ SCHED\_CORE ist standardmäßig deaktiviert. Wenn es aktiviert und unbenutzt ist bei Linux-Distributionen wahrscheinlich der Fall ist, sollte es keine messbaren Auswirkungen auf die Leistung haben. +% 1.21 Extensible Scheduling Class (since 6.11) +\subsection{Extensible Scheduling Class {\tiny since 6.12}} +CONFIG\_SCHED\_CLASS\_EXT [=y] \textbf{[Y]}\\ +Diese Option aktiviert eine neue Scheduler-Klasse sched\_ext (SCX), die es ermöglicht, +dass Scheduling-Richtlinien +als BPF-Programme implementiert werden können, um Folgendes zu erreichen: +\begin{itemize} +\item [-] Einfaches Experimentieren und Erforschen: + Ermöglicht die schnelle Iteration neuer Zeitplanungsrichtlinien. +\item [-] Anpassungsfähigkeit: Erstellung von anwendungsspezifischen Schedulern, + die Richtlinien implementieren, die für allgemeine Scheduler nicht anwendbar sind. +\item [-] Schnelle Scheduler-Implementierungen: Unterbrechungsfreie Auslagerung von Planungsrichtlinien + in Produktionsumgebungen. +\end{itemize} +sched\_ext nutzt die BPF-Funktion struct\_ops, +um eine Struktur zu definieren, +die Funktionsaufrufe und +Flags an BPF-Programme exportiert, die Zeitplanungsrichtlinien implementieren möchten.\\ +Die struct\_ops-Struktur, die von +sched\_ext exportierte Struktur heißt struct sched\_ext\_ops und ist konzeptionell ähnlich wie +struct sched\_class. +Für weitere Informationen:\\ +Dokumentation/scheduler/sched-ext.rst\\ +\href{https://github.com/sched-ext/scx}{https://github.com/sched-ext/scx}\\[1em] +\begin{small} +\textit{ +This option enables a new scheduler class sched\_ext (SCX), which +allows scheduling policies to be implemented as BPF programs to +achieve the following: +\begin{itemize} + \item[-] Ease of experimentation and exploration: Enabling rapid + iteration of new scheduling policies. + \item[-] Customization: Building application-specific schedulers which + implement policies that are not applicable to general-purpose schedulers. + \item[-] Rapid scheduler deployments: Non-disruptive swap outs of + scheduling policies in production environments. + \end{itemize} +sched\_ext leverages BPF struct\_ops feature to define a structure +which exports function callbacks and flags to BPF programs that +wish to implement scheduling policies. The struct\_ops structure +exported by sched\_ext is struct sched\_ext\_ops, and is conceptually +similar to struct sched\_class.} +\end{small} \subsection{CPU/Task time and stats accounting \texorpdfstring{$\rightarrow$}{->}} \subsubsection{Cputime accounting (Full dynticks CPU time accounting) \texorpdfstring{$\rightarrow$}{->}} diff --git a/linux-v6.12.3-arch1.patch b/linux-v6.12.3-arch1.patch new file mode 100644 index 0000000..b503354 --- /dev/null +++ b/linux-v6.12.3-arch1.patch @@ -0,0 +1,217 @@ + Makefile | 2 +- + arch/Kconfig | 4 ++-- + drivers/firmware/sysfb.c | 18 +++++++++++++++++- + include/linux/user_namespace.h | 4 ++++ + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 14 ++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 8 files changed, 73 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index e81030ec6831434373e1b3661dcb495358e1ccb7..adfe952b62367e51d16f20ed676b097461ab96bb 100644 +--- a/Makefile ++++ b/Makefile +@@ -2,7 +2,7 @@ + VERSION = 6 + PATCHLEVEL = 12 + SUBLEVEL = 3 +-EXTRAVERSION = ++EXTRAVERSION = -arch1 + NAME = Baby Opossum Posse + + # *DOCUMENTATION* +diff --git a/arch/Kconfig b/arch/Kconfig +index bd9f095d69fa0300605b455d1d4f89da77129192..5fc4aa6b6b67a286d2e3541c4ac16839a7a5aedf 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -1089,7 +1089,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -1123,7 +1123,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c +index a3df782fa687b0f14a2646eccaf635c3bb247b2b..940d8f51434176586bad53de43bd892a7846c177 100644 +--- a/drivers/firmware/sysfb.c ++++ b/drivers/firmware/sysfb.c +@@ -35,6 +35,22 @@ + #include + #include + ++static int skip_simpledrm; ++ ++static int __init simpledrm_disable(char *opt) ++{ ++ if (!opt) ++ return -EINVAL; ++ ++ get_option(&opt, &skip_simpledrm); ++ ++ if (skip_simpledrm) ++ pr_info("The simpledrm driver will not be probed\n"); ++ ++ return 0; ++} ++early_param("nvidia-drm.modeset", simpledrm_disable); ++ + static struct platform_device *pd; + static DEFINE_MUTEX(disable_lock); + static bool disabled; +@@ -145,7 +161,7 @@ static __init int sysfb_init(void) + + /* try to create a simple-framebuffer device */ + compatible = sysfb_parse_mode(si, &mode); +- if (compatible) { ++ if (compatible && !skip_simpledrm) { + pd = sysfb_create_simplefb(si, &mode, parent); + if (!IS_ERR(pd)) + goto put_device; +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 7183e5aca28291a02cb186bcd8adba81b635b58f..56573371a2f8aff498768f0f3cbd17bbb8b0e15e 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -159,6 +159,8 @@ static inline void set_userns_rlimit_max(struct user_namespace *ns, + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -192,6 +194,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/init/Kconfig b/init/Kconfig +index 7256fa127530ff893604722a740885551d50c777..164a449360644bc52e6032e1509ff5c65a068193 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1309,6 +1309,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index ce8be55e5e04b31faff120fff14c396372e9f1e5..e97e527cec69d7adaad8365c7ea8a1f54c86445b 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -107,6 +107,10 @@ + #include + #include + ++#ifdef CONFIG_USER_NS ++#include ++#endif ++ + #include + #include + #include +@@ -2158,6 +2162,10 @@ __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -3311,6 +3319,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 79e6cb1d5c48f8e4f48580114f09bed9d65481af..676e89dc38c339cfb7042f5d9ad825fea9d7b19b 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -80,6 +80,9 @@ + #ifdef CONFIG_RT_MUTEXES + #include + #endif ++#ifdef CONFIG_USER_NS ++#include ++#endif + + /* shared constants to be used in various sysctls */ + const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 }; +@@ -1618,6 +1621,15 @@ static struct ctl_table kern_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec, + }, ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index aa0b2e47f2f21bef96c45e09aaa4bc05dc5216b9..d74d857b1696077ae00e87af3de1afc76425d538 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,6 +22,13 @@ + #include + #include + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __ro_after_init; + static DEFINE_MUTEX(userns_state_mutex); + diff --git a/linux-v6.12.6-arch1.patch b/linux-v6.12.6-arch1.patch new file mode 100644 index 0000000..edd97c3 --- /dev/null +++ b/linux-v6.12.6-arch1.patch @@ -0,0 +1,217 @@ + Makefile | 2 +- + arch/Kconfig | 4 ++-- + drivers/firmware/sysfb.c | 18 +++++++++++++++++- + include/linux/user_namespace.h | 4 ++++ + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 14 ++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 8 files changed, 73 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index c10952585c14b083349926e4b3a835604d86e8d7..fbeb1cc86345c3e9f0cca646343aba0f8c7bb4c3 100644 +--- a/Makefile ++++ b/Makefile +@@ -2,7 +2,7 @@ + VERSION = 6 + PATCHLEVEL = 12 + SUBLEVEL = 6 +-EXTRAVERSION = ++EXTRAVERSION = -arch1 + NAME = Baby Opossum Posse + + # *DOCUMENTATION* +diff --git a/arch/Kconfig b/arch/Kconfig +index bd9f095d69fa0300605b455d1d4f89da77129192..5fc4aa6b6b67a286d2e3541c4ac16839a7a5aedf 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -1089,7 +1089,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -1123,7 +1123,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c +index a3df782fa687b0f14a2646eccaf635c3bb247b2b..940d8f51434176586bad53de43bd892a7846c177 100644 +--- a/drivers/firmware/sysfb.c ++++ b/drivers/firmware/sysfb.c +@@ -35,6 +35,22 @@ + #include + #include + ++static int skip_simpledrm; ++ ++static int __init simpledrm_disable(char *opt) ++{ ++ if (!opt) ++ return -EINVAL; ++ ++ get_option(&opt, &skip_simpledrm); ++ ++ if (skip_simpledrm) ++ pr_info("The simpledrm driver will not be probed\n"); ++ ++ return 0; ++} ++early_param("nvidia-drm.modeset", simpledrm_disable); ++ + static struct platform_device *pd; + static DEFINE_MUTEX(disable_lock); + static bool disabled; +@@ -145,7 +161,7 @@ static __init int sysfb_init(void) + + /* try to create a simple-framebuffer device */ + compatible = sysfb_parse_mode(si, &mode); +- if (compatible) { ++ if (compatible && !skip_simpledrm) { + pd = sysfb_create_simplefb(si, &mode, parent); + if (!IS_ERR(pd)) + goto put_device; +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 7183e5aca28291a02cb186bcd8adba81b635b58f..56573371a2f8aff498768f0f3cbd17bbb8b0e15e 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -159,6 +159,8 @@ static inline void set_userns_rlimit_max(struct user_namespace *ns, + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -192,6 +194,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/init/Kconfig b/init/Kconfig +index 7256fa127530ff893604722a740885551d50c777..164a449360644bc52e6032e1509ff5c65a068193 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1309,6 +1309,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index ce8be55e5e04b31faff120fff14c396372e9f1e5..e97e527cec69d7adaad8365c7ea8a1f54c86445b 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -107,6 +107,10 @@ + #include + #include + ++#ifdef CONFIG_USER_NS ++#include ++#endif ++ + #include + #include + #include +@@ -2158,6 +2162,10 @@ __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -3311,6 +3319,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 79e6cb1d5c48f8e4f48580114f09bed9d65481af..676e89dc38c339cfb7042f5d9ad825fea9d7b19b 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -80,6 +80,9 @@ + #ifdef CONFIG_RT_MUTEXES + #include + #endif ++#ifdef CONFIG_USER_NS ++#include ++#endif + + /* shared constants to be used in various sysctls */ + const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 }; +@@ -1618,6 +1621,15 @@ static struct ctl_table kern_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec, + }, ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index aa0b2e47f2f21bef96c45e09aaa4bc05dc5216b9..d74d857b1696077ae00e87af3de1afc76425d538 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,6 +22,13 @@ + #include + #include + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __ro_after_init; + static DEFINE_MUTEX(userns_state_mutex); + diff --git a/linux-v6.12.7-arch1.patch b/linux-v6.12.7-arch1.patch new file mode 100644 index 0000000..34fe264 --- /dev/null +++ b/linux-v6.12.7-arch1.patch @@ -0,0 +1,230 @@ + Makefile | 2 +- + arch/Kconfig | 4 ++-- + drivers/firmware/sysfb.c | 18 +++++++++++++++++- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 + + include/linux/user_namespace.h | 4 ++++ + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 14 ++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 9 files changed, 74 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 685a57f6c8d27963173944785fdc88c0ce158c45..000e55b91c868f3491f358add79bd9b2b4820e8e 100644 +--- a/Makefile ++++ b/Makefile +@@ -2,7 +2,7 @@ + VERSION = 6 + PATCHLEVEL = 12 + SUBLEVEL = 7 +-EXTRAVERSION = ++EXTRAVERSION = -arch1 + NAME = Baby Opossum Posse + + # *DOCUMENTATION* +diff --git a/arch/Kconfig b/arch/Kconfig +index bd9f095d69fa0300605b455d1d4f89da77129192..5fc4aa6b6b67a286d2e3541c4ac16839a7a5aedf 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -1089,7 +1089,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -1123,7 +1123,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c +index a3df782fa687b0f14a2646eccaf635c3bb247b2b..940d8f51434176586bad53de43bd892a7846c177 100644 +--- a/drivers/firmware/sysfb.c ++++ b/drivers/firmware/sysfb.c +@@ -35,6 +35,22 @@ + #include + #include + ++static int skip_simpledrm; ++ ++static int __init simpledrm_disable(char *opt) ++{ ++ if (!opt) ++ return -EINVAL; ++ ++ get_option(&opt, &skip_simpledrm); ++ ++ if (skip_simpledrm) ++ pr_info("The simpledrm driver will not be probed\n"); ++ ++ return 0; ++} ++early_param("nvidia-drm.modeset", simpledrm_disable); ++ + static struct platform_device *pd; + static DEFINE_MUTEX(disable_lock); + static bool disabled; +@@ -145,7 +161,7 @@ static __init int sysfb_init(void) + + /* try to create a simple-framebuffer device */ + compatible = sysfb_parse_mode(si, &mode); +- if (compatible) { ++ if (compatible && !skip_simpledrm) { + pd = sysfb_create_simplefb(si, &mode, parent); + if (!IS_ERR(pd)) + goto put_device; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 51904906545e5975de775ce3dafee6a3df4a3397..ad4cd84e40f28d439c10dafeb0724793df5624bd 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3723,6 +3723,7 @@ static int amdgpu_device_ip_resume_phase3(struct amdgpu_device *adev) + r = adev->ip_blocks[i].version->funcs->resume(adev); + if (r) + return r; ++ adev->ip_blocks[i].status.hw = true; + } + } + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 7183e5aca28291a02cb186bcd8adba81b635b58f..56573371a2f8aff498768f0f3cbd17bbb8b0e15e 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -159,6 +159,8 @@ static inline void set_userns_rlimit_max(struct user_namespace *ns, + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -192,6 +194,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/init/Kconfig b/init/Kconfig +index 7256fa127530ff893604722a740885551d50c777..164a449360644bc52e6032e1509ff5c65a068193 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1309,6 +1309,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index ce8be55e5e04b31faff120fff14c396372e9f1e5..e97e527cec69d7adaad8365c7ea8a1f54c86445b 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -107,6 +107,10 @@ + #include + #include + ++#ifdef CONFIG_USER_NS ++#include ++#endif ++ + #include + #include + #include +@@ -2158,6 +2162,10 @@ __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -3311,6 +3319,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 79e6cb1d5c48f8e4f48580114f09bed9d65481af..676e89dc38c339cfb7042f5d9ad825fea9d7b19b 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -80,6 +80,9 @@ + #ifdef CONFIG_RT_MUTEXES + #include + #endif ++#ifdef CONFIG_USER_NS ++#include ++#endif + + /* shared constants to be used in various sysctls */ + const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 }; +@@ -1618,6 +1621,15 @@ static struct ctl_table kern_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec, + }, ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index aa0b2e47f2f21bef96c45e09aaa4bc05dc5216b9..d74d857b1696077ae00e87af3de1afc76425d538 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,6 +22,13 @@ + #include + #include + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __ro_after_init; + static DEFINE_MUTEX(userns_state_mutex); +