From 75dff7cec4b3ad9afd75bd0739ac328328103010 Mon Sep 17 00:00:00 2001 From: Thomas Kuschel Date: Sat, 26 Jul 2025 12:09:07 +0200 Subject: [PATCH] delete old patch files --- linux-v6.12.3-arch1.patch | 217 ----------------------------------- linux-v6.12.6-arch1.patch | 217 ----------------------------------- linux-v6.12.7-arch1.patch | 230 -------------------------------------- 3 files changed, 664 deletions(-) delete mode 100644 linux-v6.12.3-arch1.patch delete mode 100644 linux-v6.12.6-arch1.patch delete mode 100644 linux-v6.12.7-arch1.patch diff --git a/linux-v6.12.3-arch1.patch b/linux-v6.12.3-arch1.patch deleted file mode 100644 index b503354..0000000 --- a/linux-v6.12.3-arch1.patch +++ /dev/null @@ -1,217 +0,0 @@ - Makefile | 2 +- - arch/Kconfig | 4 ++-- - drivers/firmware/sysfb.c | 18 +++++++++++++++++- - include/linux/user_namespace.h | 4 ++++ - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 14 ++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 8 files changed, 73 insertions(+), 4 deletions(-) - -diff --git a/Makefile b/Makefile -index e81030ec6831434373e1b3661dcb495358e1ccb7..adfe952b62367e51d16f20ed676b097461ab96bb 100644 ---- a/Makefile -+++ b/Makefile -@@ -2,7 +2,7 @@ - VERSION = 6 - PATCHLEVEL = 12 - SUBLEVEL = 3 --EXTRAVERSION = -+EXTRAVERSION = -arch1 - NAME = Baby Opossum Posse - - # *DOCUMENTATION* -diff --git a/arch/Kconfig b/arch/Kconfig -index bd9f095d69fa0300605b455d1d4f89da77129192..5fc4aa6b6b67a286d2e3541c4ac16839a7a5aedf 100644 ---- a/arch/Kconfig -+++ b/arch/Kconfig -@@ -1089,7 +1089,7 @@ config ARCH_MMAP_RND_BITS - int "Number of bits to use for ASLR of mmap base address" if EXPERT - range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX - default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT -- default ARCH_MMAP_RND_BITS_MIN -+ default ARCH_MMAP_RND_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_BITS - help - This value can be used to select the number of bits to use to -@@ -1123,7 +1123,7 @@ config ARCH_MMAP_RND_COMPAT_BITS - int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT - range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX - default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT -- default ARCH_MMAP_RND_COMPAT_BITS_MIN -+ default ARCH_MMAP_RND_COMPAT_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS - help - This value can be used to select the number of bits to use to -diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c -index a3df782fa687b0f14a2646eccaf635c3bb247b2b..940d8f51434176586bad53de43bd892a7846c177 100644 ---- a/drivers/firmware/sysfb.c -+++ b/drivers/firmware/sysfb.c -@@ -35,6 +35,22 @@ - #include - #include - -+static int skip_simpledrm; -+ -+static int __init simpledrm_disable(char *opt) -+{ -+ if (!opt) -+ return -EINVAL; -+ -+ get_option(&opt, &skip_simpledrm); -+ -+ if (skip_simpledrm) -+ pr_info("The simpledrm driver will not be probed\n"); -+ -+ return 0; -+} -+early_param("nvidia-drm.modeset", simpledrm_disable); -+ - static struct platform_device *pd; - static DEFINE_MUTEX(disable_lock); - static bool disabled; -@@ -145,7 +161,7 @@ static __init int sysfb_init(void) - - /* try to create a simple-framebuffer device */ - compatible = sysfb_parse_mode(si, &mode); -- if (compatible) { -+ if (compatible && !skip_simpledrm) { - pd = sysfb_create_simplefb(si, &mode, parent); - if (!IS_ERR(pd)) - goto put_device; -diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h -index 7183e5aca28291a02cb186bcd8adba81b635b58f..56573371a2f8aff498768f0f3cbd17bbb8b0e15e 100644 ---- a/include/linux/user_namespace.h -+++ b/include/linux/user_namespace.h -@@ -159,6 +159,8 @@ static inline void set_userns_rlimit_max(struct user_namespace *ns, - - #ifdef CONFIG_USER_NS - -+extern int unprivileged_userns_clone; -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - if (ns) -@@ -192,6 +194,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); - struct ns_common *ns_get_owner(struct ns_common *ns); - #else - -+#define unprivileged_userns_clone 0 -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - return &init_user_ns; -diff --git a/init/Kconfig b/init/Kconfig -index 7256fa127530ff893604722a740885551d50c777..164a449360644bc52e6032e1509ff5c65a068193 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1309,6 +1309,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index ce8be55e5e04b31faff120fff14c396372e9f1e5..e97e527cec69d7adaad8365c7ea8a1f54c86445b 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -107,6 +107,10 @@ - #include - #include - -+#ifdef CONFIG_USER_NS -+#include -+#endif -+ - #include - #include - #include -@@ -2158,6 +2162,10 @@ __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -3311,6 +3319,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 79e6cb1d5c48f8e4f48580114f09bed9d65481af..676e89dc38c339cfb7042f5d9ad825fea9d7b19b 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -80,6 +80,9 @@ - #ifdef CONFIG_RT_MUTEXES - #include - #endif -+#ifdef CONFIG_USER_NS -+#include -+#endif - - /* shared constants to be used in various sysctls */ - const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 }; -@@ -1618,6 +1621,15 @@ static struct ctl_table kern_table[] = { - .mode = 0644, - .proc_handler = proc_dointvec, - }, -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index aa0b2e47f2f21bef96c45e09aaa4bc05dc5216b9..d74d857b1696077ae00e87af3de1afc76425d538 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -22,6 +22,13 @@ - #include - #include - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __ro_after_init; - static DEFINE_MUTEX(userns_state_mutex); - diff --git a/linux-v6.12.6-arch1.patch b/linux-v6.12.6-arch1.patch deleted file mode 100644 index edd97c3..0000000 --- a/linux-v6.12.6-arch1.patch +++ /dev/null @@ -1,217 +0,0 @@ - Makefile | 2 +- - arch/Kconfig | 4 ++-- - drivers/firmware/sysfb.c | 18 +++++++++++++++++- - include/linux/user_namespace.h | 4 ++++ - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 14 ++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 8 files changed, 73 insertions(+), 4 deletions(-) - -diff --git a/Makefile b/Makefile -index c10952585c14b083349926e4b3a835604d86e8d7..fbeb1cc86345c3e9f0cca646343aba0f8c7bb4c3 100644 ---- a/Makefile -+++ b/Makefile -@@ -2,7 +2,7 @@ - VERSION = 6 - PATCHLEVEL = 12 - SUBLEVEL = 6 --EXTRAVERSION = -+EXTRAVERSION = -arch1 - NAME = Baby Opossum Posse - - # *DOCUMENTATION* -diff --git a/arch/Kconfig b/arch/Kconfig -index bd9f095d69fa0300605b455d1d4f89da77129192..5fc4aa6b6b67a286d2e3541c4ac16839a7a5aedf 100644 ---- a/arch/Kconfig -+++ b/arch/Kconfig -@@ -1089,7 +1089,7 @@ config ARCH_MMAP_RND_BITS - int "Number of bits to use for ASLR of mmap base address" if EXPERT - range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX - default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT -- default ARCH_MMAP_RND_BITS_MIN -+ default ARCH_MMAP_RND_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_BITS - help - This value can be used to select the number of bits to use to -@@ -1123,7 +1123,7 @@ config ARCH_MMAP_RND_COMPAT_BITS - int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT - range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX - default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT -- default ARCH_MMAP_RND_COMPAT_BITS_MIN -+ default ARCH_MMAP_RND_COMPAT_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS - help - This value can be used to select the number of bits to use to -diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c -index a3df782fa687b0f14a2646eccaf635c3bb247b2b..940d8f51434176586bad53de43bd892a7846c177 100644 ---- a/drivers/firmware/sysfb.c -+++ b/drivers/firmware/sysfb.c -@@ -35,6 +35,22 @@ - #include - #include - -+static int skip_simpledrm; -+ -+static int __init simpledrm_disable(char *opt) -+{ -+ if (!opt) -+ return -EINVAL; -+ -+ get_option(&opt, &skip_simpledrm); -+ -+ if (skip_simpledrm) -+ pr_info("The simpledrm driver will not be probed\n"); -+ -+ return 0; -+} -+early_param("nvidia-drm.modeset", simpledrm_disable); -+ - static struct platform_device *pd; - static DEFINE_MUTEX(disable_lock); - static bool disabled; -@@ -145,7 +161,7 @@ static __init int sysfb_init(void) - - /* try to create a simple-framebuffer device */ - compatible = sysfb_parse_mode(si, &mode); -- if (compatible) { -+ if (compatible && !skip_simpledrm) { - pd = sysfb_create_simplefb(si, &mode, parent); - if (!IS_ERR(pd)) - goto put_device; -diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h -index 7183e5aca28291a02cb186bcd8adba81b635b58f..56573371a2f8aff498768f0f3cbd17bbb8b0e15e 100644 ---- a/include/linux/user_namespace.h -+++ b/include/linux/user_namespace.h -@@ -159,6 +159,8 @@ static inline void set_userns_rlimit_max(struct user_namespace *ns, - - #ifdef CONFIG_USER_NS - -+extern int unprivileged_userns_clone; -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - if (ns) -@@ -192,6 +194,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); - struct ns_common *ns_get_owner(struct ns_common *ns); - #else - -+#define unprivileged_userns_clone 0 -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - return &init_user_ns; -diff --git a/init/Kconfig b/init/Kconfig -index 7256fa127530ff893604722a740885551d50c777..164a449360644bc52e6032e1509ff5c65a068193 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1309,6 +1309,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index ce8be55e5e04b31faff120fff14c396372e9f1e5..e97e527cec69d7adaad8365c7ea8a1f54c86445b 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -107,6 +107,10 @@ - #include - #include - -+#ifdef CONFIG_USER_NS -+#include -+#endif -+ - #include - #include - #include -@@ -2158,6 +2162,10 @@ __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -3311,6 +3319,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 79e6cb1d5c48f8e4f48580114f09bed9d65481af..676e89dc38c339cfb7042f5d9ad825fea9d7b19b 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -80,6 +80,9 @@ - #ifdef CONFIG_RT_MUTEXES - #include - #endif -+#ifdef CONFIG_USER_NS -+#include -+#endif - - /* shared constants to be used in various sysctls */ - const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 }; -@@ -1618,6 +1621,15 @@ static struct ctl_table kern_table[] = { - .mode = 0644, - .proc_handler = proc_dointvec, - }, -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index aa0b2e47f2f21bef96c45e09aaa4bc05dc5216b9..d74d857b1696077ae00e87af3de1afc76425d538 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -22,6 +22,13 @@ - #include - #include - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __ro_after_init; - static DEFINE_MUTEX(userns_state_mutex); - diff --git a/linux-v6.12.7-arch1.patch b/linux-v6.12.7-arch1.patch deleted file mode 100644 index 34fe264..0000000 --- a/linux-v6.12.7-arch1.patch +++ /dev/null @@ -1,230 +0,0 @@ - Makefile | 2 +- - arch/Kconfig | 4 ++-- - drivers/firmware/sysfb.c | 18 +++++++++++++++++- - drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 + - include/linux/user_namespace.h | 4 ++++ - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 14 ++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 9 files changed, 74 insertions(+), 4 deletions(-) - -diff --git a/Makefile b/Makefile -index 685a57f6c8d27963173944785fdc88c0ce158c45..000e55b91c868f3491f358add79bd9b2b4820e8e 100644 ---- a/Makefile -+++ b/Makefile -@@ -2,7 +2,7 @@ - VERSION = 6 - PATCHLEVEL = 12 - SUBLEVEL = 7 --EXTRAVERSION = -+EXTRAVERSION = -arch1 - NAME = Baby Opossum Posse - - # *DOCUMENTATION* -diff --git a/arch/Kconfig b/arch/Kconfig -index bd9f095d69fa0300605b455d1d4f89da77129192..5fc4aa6b6b67a286d2e3541c4ac16839a7a5aedf 100644 ---- a/arch/Kconfig -+++ b/arch/Kconfig -@@ -1089,7 +1089,7 @@ config ARCH_MMAP_RND_BITS - int "Number of bits to use for ASLR of mmap base address" if EXPERT - range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX - default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT -- default ARCH_MMAP_RND_BITS_MIN -+ default ARCH_MMAP_RND_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_BITS - help - This value can be used to select the number of bits to use to -@@ -1123,7 +1123,7 @@ config ARCH_MMAP_RND_COMPAT_BITS - int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT - range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX - default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT -- default ARCH_MMAP_RND_COMPAT_BITS_MIN -+ default ARCH_MMAP_RND_COMPAT_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS - help - This value can be used to select the number of bits to use to -diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c -index a3df782fa687b0f14a2646eccaf635c3bb247b2b..940d8f51434176586bad53de43bd892a7846c177 100644 ---- a/drivers/firmware/sysfb.c -+++ b/drivers/firmware/sysfb.c -@@ -35,6 +35,22 @@ - #include - #include - -+static int skip_simpledrm; -+ -+static int __init simpledrm_disable(char *opt) -+{ -+ if (!opt) -+ return -EINVAL; -+ -+ get_option(&opt, &skip_simpledrm); -+ -+ if (skip_simpledrm) -+ pr_info("The simpledrm driver will not be probed\n"); -+ -+ return 0; -+} -+early_param("nvidia-drm.modeset", simpledrm_disable); -+ - static struct platform_device *pd; - static DEFINE_MUTEX(disable_lock); - static bool disabled; -@@ -145,7 +161,7 @@ static __init int sysfb_init(void) - - /* try to create a simple-framebuffer device */ - compatible = sysfb_parse_mode(si, &mode); -- if (compatible) { -+ if (compatible && !skip_simpledrm) { - pd = sysfb_create_simplefb(si, &mode, parent); - if (!IS_ERR(pd)) - goto put_device; -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c -index 51904906545e5975de775ce3dafee6a3df4a3397..ad4cd84e40f28d439c10dafeb0724793df5624bd 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c -@@ -3723,6 +3723,7 @@ static int amdgpu_device_ip_resume_phase3(struct amdgpu_device *adev) - r = adev->ip_blocks[i].version->funcs->resume(adev); - if (r) - return r; -+ adev->ip_blocks[i].status.hw = true; - } - } - -diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h -index 7183e5aca28291a02cb186bcd8adba81b635b58f..56573371a2f8aff498768f0f3cbd17bbb8b0e15e 100644 ---- a/include/linux/user_namespace.h -+++ b/include/linux/user_namespace.h -@@ -159,6 +159,8 @@ static inline void set_userns_rlimit_max(struct user_namespace *ns, - - #ifdef CONFIG_USER_NS - -+extern int unprivileged_userns_clone; -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - if (ns) -@@ -192,6 +194,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); - struct ns_common *ns_get_owner(struct ns_common *ns); - #else - -+#define unprivileged_userns_clone 0 -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - return &init_user_ns; -diff --git a/init/Kconfig b/init/Kconfig -index 7256fa127530ff893604722a740885551d50c777..164a449360644bc52e6032e1509ff5c65a068193 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1309,6 +1309,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index ce8be55e5e04b31faff120fff14c396372e9f1e5..e97e527cec69d7adaad8365c7ea8a1f54c86445b 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -107,6 +107,10 @@ - #include - #include - -+#ifdef CONFIG_USER_NS -+#include -+#endif -+ - #include - #include - #include -@@ -2158,6 +2162,10 @@ __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -3311,6 +3319,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 79e6cb1d5c48f8e4f48580114f09bed9d65481af..676e89dc38c339cfb7042f5d9ad825fea9d7b19b 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -80,6 +80,9 @@ - #ifdef CONFIG_RT_MUTEXES - #include - #endif -+#ifdef CONFIG_USER_NS -+#include -+#endif - - /* shared constants to be used in various sysctls */ - const int sysctl_vals[] = { 0, 1, 2, 3, 4, 100, 200, 1000, 3000, INT_MAX, 65535, -1 }; -@@ -1618,6 +1621,15 @@ static struct ctl_table kern_table[] = { - .mode = 0644, - .proc_handler = proc_dointvec, - }, -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index aa0b2e47f2f21bef96c45e09aaa4bc05dc5216b9..d74d857b1696077ae00e87af3de1afc76425d538 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -22,6 +22,13 @@ - #include - #include - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __ro_after_init; - static DEFINE_MUTEX(userns_state_mutex); -