Enable USER_NS for root-only processes (rhbz 917708)

- Fixup keys-krb-support.patch to build with USER_NS enabled
2013-11-13 10:58:05 -05:00 · 2013-11-13 10:58:05 -05:00 · e3f67fd712
commit e3f67fd712
parent 991987b307
4 changed files with 56 additions and 7 deletions
--- a/Revert-userns-Allow-unprivileged-users-to-create-use.patch
+++ b/Revert-userns-Allow-unprivileged-users-to-create-use.patch
@ -0,0 +1,41 @@
 From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Wed, 13 Nov 2013 10:21:18 -0500
 Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
 namespaces."
 This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
 Conflicts:
 	kernel/fork.c
 ---
 kernel/fork.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 diff --git a/kernel/fork.c b/kernel/fork.c
 index f6d11fc..e04c9a7 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
 	long nr;
 	/*
 +	 * Do some preliminary argument and permissions checking before we
 +	 * actually start allocating stuff
 +	 */
 +	if (clone_flags & CLONE_NEWUSER) {
 +		/* hopefully this check will go away when userns support is
 +		 * complete
 +		 */
 +		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
 +				!capable(CAP_SETGID))
 +			return -EPERM;
 +	}
 +
 +	/*
 	 * Determine whether and which event to report to ptracer.  When
 	 * called from kernel_thread or CLONE_UNTRACED is explicitly
 	 * requested, no event is reported; otherwise, report if the event
 -- 
 1.8.3.1
--- a/2
+++ b/2
@ -61,7 +61,7 @@ CONFIG_PID_NS=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 CONFIG_NET_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
 # CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
 CONFIG_POSIX_MQUEUE=y
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 # base_sublevel is the kernel version we're starting with and patching
@ -627,6 +627,9 @@ Patch530: silence-fbcon-logo.patch
 Patch600: 0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
 #rhbz 917708
 Patch700: Revert-userns-Allow-unprivileged-users-to-create-use.patch
 Patch800: crash-driver.patch
 # crypto/
@ -1341,6 +1344,8 @@ ApplyPatch silence-fbcon-logo.patch
 # Changes to upstream defaults.
 #rhbz 917708
 ApplyPatch Revert-userns-Allow-unprivileged-users-to-create-use.patch
 # /dev/crash driver.
 ApplyPatch crash-driver.patch
@ -2233,6 +2238,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
 * Wed Nov 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc0.git3.2
 - Enable USER_NS for root-only processes (rhbz 917708)
 * Wed Nov 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc0.git3.1
 - Linux v3.12-7033-g42a2d92
--- a/keys-krb-support.patch
+++ b/keys-krb-support.patch
@ -444,7 +444,7 @@ index 13fb113..2dbc299 100644
 	set_cred_user_ns(new, ns);
 +#ifdef CONFIG_PERSISTENT_KEYRINGS
-+	rwsem_init(&ns->persistent_keyring_register_sem);
+	init_rwsem(&ns->persistent_keyring_register_sem);
 +#endif
 	return 0;
 }
@ -699,10 +699,10 @@ index 0000000..631a022
 +		/* You can only see your own persistent cache if you're not
 +		 * sufficiently privileged.
 +		 */
-+		if (uid != current_uid() &&
+		if (!uid_eq(uid, current_uid()) &&
-+		    uid != current_suid() &&
+		  /*  uid_eq(uid, current_suid()) && */
-+		    uid != current_euid() &&
+		    !uid_eq(uid, current_euid()) &&
-+		    uid != current_fsuid() &&
+		  /*  uid_eq(uid, current_fsuid()) && */
 +		    !ns_capable(ns, CAP_SETUID))
 +			return -EPERM;
 +	}