Enable USER_NS for root-only processes (rhbz 917708)

- Fixup keys-krb-support.patch to build with USER_NS enabled
2013-11-13 10:58:05 -05:00 · 2013-11-13 10:58:05 -05:00 · e3f67fd712
commit e3f67fd712
parent 991987b307
4 changed files with 56 additions and 7 deletions
--- a/Revert-userns-Allow-unprivileged-users-to-create-use.patch
+++ b/Revert-userns-Allow-unprivileged-users-to-create-use.patch
@ -0,0 +1,41 @@
+From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Wed, 13 Nov 2013 10:21:18 -0500
+Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
+ namespaces."
+
+This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
+
+Conflicts:
+	kernel/fork.c
+---
+ kernel/fork.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index f6d11fc..e04c9a7 100644
+--- a/kernel/fork.c
+++ b/kernel/fork.c
+@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
+ 	long nr;
+ 
+ 	/*
+	 * Do some preliminary argument and permissions checking before we
+	 * actually start allocating stuff
+	 */
+	if (clone_flags & CLONE_NEWUSER) {
+		/* hopefully this check will go away when userns support is
+		 * complete
+		 */
+		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
+				!capable(CAP_SETGID))
+			return -EPERM;
+	}
+
+	/*
+ 	 * Determine whether and which event to report to ptracer.  When
+ 	 * called from kernel_thread or CLONE_UNTRACED is explicitly
+ 	 * requested, no event is reported; otherwise, report if the event
+-- 
+1.8.3.1
+
--- a/2
+++ b/2
@ -61,7 +61,7 @@ CONFIG_PID_NS=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 CONFIG_NET_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
 # CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set

 CONFIG_POSIX_MQUEUE=y
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -627,6 +627,9 @@ Patch530: silence-fbcon-logo.patch

 Patch600: 0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch

+#rhbz 917708
+Patch700: Revert-userns-Allow-unprivileged-users-to-create-use.patch
+
 Patch800: crash-driver.patch

 # crypto/
@ -1341,6 +1344,8 @@ ApplyPatch silence-fbcon-logo.patch

 # Changes to upstream defaults.

+#rhbz 917708
+ApplyPatch Revert-userns-Allow-unprivileged-users-to-create-use.patch

 # /dev/crash driver.
 ApplyPatch crash-driver.patch
@ -2233,6 +2238,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Wed Nov 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc0.git3.2
+- Enable USER_NS for root-only processes (rhbz 917708)
+
 * Wed Nov 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc0.git3.1
 - Linux v3.12-7033-g42a2d92

--- a/keys-krb-support.patch
+++ b/keys-krb-support.patch
@ -444,7 +444,7 @@ index 13fb113..2dbc299 100644
 	set_cred_user_ns(new, ns);
 
 +#ifdef CONFIG_PERSISTENT_KEYRINGS
-+	rwsem_init(&ns->persistent_keyring_register_sem);
+	init_rwsem(&ns->persistent_keyring_register_sem);
 +#endif
 	return 0;
 }
@ -699,10 +699,10 @@ index 0000000..631a022
 +		/* You can only see your own persistent cache if you're not
 +		 * sufficiently privileged.
 +		 */
-+		if (uid != current_uid() &&
-+		    uid != current_suid() &&
-+		    uid != current_euid() &&
-+		    uid != current_fsuid() &&
+		if (!uid_eq(uid, current_uid()) &&
+		  /*  uid_eq(uid, current_suid()) && */
+		    !uid_eq(uid, current_euid()) &&
+		  /*  uid_eq(uid, current_fsuid()) && */
 +		    !ns_capable(ns, CAP_SETUID))
 +			return -EPERM;
 +	}