From e3f67fd712a83052fdc3e4e82ae1fb9bc832c906 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 13 Nov 2013 10:58:05 -0500 Subject: [PATCH] Enable USER_NS for root-only processes (rhbz 917708) - Fixup keys-krb-support.patch to build with USER_NS enabled --- ...low-unprivileged-users-to-create-use.patch | 41 +++++++++++++++++++ config-generic | 2 +- kernel.spec | 10 ++++- keys-krb-support.patch | 10 ++--- 4 files changed, 56 insertions(+), 7 deletions(-) create mode 100644 Revert-userns-Allow-unprivileged-users-to-create-use.patch diff --git a/Revert-userns-Allow-unprivileged-users-to-create-use.patch b/Revert-userns-Allow-unprivileged-users-to-create-use.patch new file mode 100644 index 000000000..5713dbb20 --- /dev/null +++ b/Revert-userns-Allow-unprivileged-users-to-create-use.patch @@ -0,0 +1,41 @@ +From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Wed, 13 Nov 2013 10:21:18 -0500 +Subject: [PATCH] Revert "userns: Allow unprivileged users to create user + namespaces." + +This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946. + +Conflicts: + kernel/fork.c +--- + kernel/fork.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/kernel/fork.c b/kernel/fork.c +index f6d11fc..e04c9a7 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags, + long nr; + + /* ++ * Do some preliminary argument and permissions checking before we ++ * actually start allocating stuff ++ */ ++ if (clone_flags & CLONE_NEWUSER) { ++ /* hopefully this check will go away when userns support is ++ * complete ++ */ ++ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) || ++ !capable(CAP_SETGID)) ++ return -EPERM; ++ } ++ ++ /* + * Determine whether and which event to report to ptracer. When + * called from kernel_thread or CLONE_UNTRACED is explicitly + * requested, no event is reported; otherwise, report if the event +-- +1.8.3.1 + diff --git a/config-generic b/config-generic index 490c77fa7..f80c276e1 100644 --- a/config-generic +++ b/config-generic @@ -61,7 +61,7 @@ CONFIG_PID_NS=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_NET_NS=y -# CONFIG_USER_NS is not set +CONFIG_USER_NS=y # CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set CONFIG_POSIX_MQUEUE=y diff --git a/kernel.spec b/kernel.spec index 64e279bc8..bd7da9b89 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -627,6 +627,9 @@ Patch530: silence-fbcon-logo.patch Patch600: 0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch +#rhbz 917708 +Patch700: Revert-userns-Allow-unprivileged-users-to-create-use.patch + Patch800: crash-driver.patch # crypto/ @@ -1341,6 +1344,8 @@ ApplyPatch silence-fbcon-logo.patch # Changes to upstream defaults. +#rhbz 917708 +ApplyPatch Revert-userns-Allow-unprivileged-users-to-create-use.patch # /dev/crash driver. ApplyPatch crash-driver.patch @@ -2233,6 +2238,9 @@ fi # ||----w | # || || %changelog +* Wed Nov 13 2013 Josh Boyer - 3.13.0-0.rc0.git3.2 +- Enable USER_NS for root-only processes (rhbz 917708) + * Wed Nov 13 2013 Josh Boyer - 3.13.0-0.rc0.git3.1 - Linux v3.12-7033-g42a2d92 diff --git a/keys-krb-support.patch b/keys-krb-support.patch index 8bffaae8b..aa4752c78 100644 --- a/keys-krb-support.patch +++ b/keys-krb-support.patch @@ -444,7 +444,7 @@ index 13fb113..2dbc299 100644 set_cred_user_ns(new, ns); +#ifdef CONFIG_PERSISTENT_KEYRINGS -+ rwsem_init(&ns->persistent_keyring_register_sem); ++ init_rwsem(&ns->persistent_keyring_register_sem); +#endif return 0; } @@ -699,10 +699,10 @@ index 0000000..631a022 + /* You can only see your own persistent cache if you're not + * sufficiently privileged. + */ -+ if (uid != current_uid() && -+ uid != current_suid() && -+ uid != current_euid() && -+ uid != current_fsuid() && ++ if (!uid_eq(uid, current_uid()) && ++ /* uid_eq(uid, current_suid()) && */ ++ !uid_eq(uid, current_euid()) && ++ /* uid_eq(uid, current_fsuid()) && */ + !ns_capable(ns, CAP_SETUID)) + return -EPERM; + }