Date: Friday, October 11, 2019 @ 20:33:04 Author: heftig Revision: 364658
4.19.79-2: extramodules-lts removal Added: linux-lts/trunk/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch Modified: linux-lts/trunk/60-linux.hook linux-lts/trunk/90-linux.hook linux-lts/trunk/PKGBUILD Deleted: linux-lts/trunk/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch linux-lts/trunk/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch -----------------------------------------------------------------+ 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | 132 ++++++++++ 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 102 ------- 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 ---- 60-linux.hook | 1 90-linux.hook | 2 PKGBUILD | 41 +-- 6 files changed, 150 insertions(+), 185 deletions(-) Added: 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch =================================================================== --- 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch (rev 0) +++ 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 2019-10-11 20:33:04 UTC (rev 364658) @@ -0,0 +1,132 @@ +From 6136ffb3d88e9f044260f8288d2d0a1edd64379e Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged + CLONE_NEWUSER + +Our default behavior continues to match the vanilla kernel. +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 15 +++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 4 files changed, 50 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index bd7d650d4a99..658f9c052151 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1091,6 +1091,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index 541fd805fb88..ffd57c812153 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -106,6 +106,11 @@ + + #define CREATE_TRACE_POINTS + #include <trace/events/task.h> ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#else ++#define unprivileged_userns_clone 0 ++#endif + + /* + * Minimum number of threads to boot the kernel +@@ -1788,6 +1793,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2819,6 +2828,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 078950d9605b..baead3605bbe 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -110,6 +110,9 @@ extern int core_uses_pid; + extern char core_pattern[]; + extern unsigned int core_pipe_limit; + #endif ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#endif + extern int pid_max; + extern int pid_max_min, pid_max_max; + extern int percpu_pagelist_fraction; +@@ -545,6 +548,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 8eadadc478f9..c36ecd19562c 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,13 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.23.0 + Deleted: 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch =================================================================== --- 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 2019-10-11 20:33:01 UTC (rev 364657) +++ 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 2019-10-11 20:33:04 UTC (rev 364658) @@ -1,102 +0,0 @@ -From 96161597803746c97c43e0703ca2a059bdd7a8f7 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn <serge.hal...@canonical.com> -Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by - default - -Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> -[bwh: Remove unneeded binary sysctl bits] -Signed-off-by: Daniel Micay <danielmi...@gmail.com> ---- - kernel/fork.c | 15 +++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 3 +++ - 3 files changed, 30 insertions(+) - -diff --git a/kernel/fork.c b/kernel/fork.c -index 2628f3773ca8..a2da35b446a6 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -103,6 +103,11 @@ - - #define CREATE_TRACE_POINTS - #include <trace/events/task.h> -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#else -+#define unprivileged_userns_clone 0 -+#endif - - /* - * Minimum number of threads to boot the kernel -@@ -1719,6 +1724,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2554,6 +2563,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 387efbaf464a..b393beb76f34 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -108,6 +108,9 @@ extern int core_uses_pid; - extern char core_pattern[]; - extern unsigned int core_pipe_limit; - #endif -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#endif - extern int pid_max; - extern int pid_max_min, pid_max_max; - extern int percpu_pagelist_fraction; -@@ -535,6 +538,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 923414a246e9..6b9dbc257e34 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -26,6 +26,9 @@ - #include <linux/bsearch.h> - #include <linux/sort.h> - -+/* sysctl */ -+int unprivileged_userns_clone; -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -2.22.0 - Deleted: 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch =================================================================== --- 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch 2019-10-11 20:33:01 UTC (rev 364657) +++ 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch 2019-10-11 20:33:04 UTC (rev 364658) @@ -1,57 +0,0 @@ -From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> -Date: Thu, 7 Dec 2017 13:50:48 +0100 -Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone - -This way our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/user_namespace.c | 4 ++++ - 2 files changed, 20 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index 4592bf7997c0..f3df02990aff 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1004,6 +1004,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 6b9dbc257e34..107b17f0d528 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -27,7 +27,11 @@ - #include <linux/sort.h> - - /* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else - int unprivileged_userns_clone; -+#endif - - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); --- -2.22.0 - Modified: 60-linux.hook =================================================================== --- 60-linux.hook 2019-10-11 20:33:01 UTC (rev 364657) +++ 60-linux.hook 2019-10-11 20:33:04 UTC (rev 364658) @@ -4,7 +4,6 @@ Operation = Upgrade Operation = Remove Target = usr/lib/modules/%KERNVER%/* -Target = usr/lib/modules/%EXTRAMODULES%/* [Action] Description = Updating %PKGBASE% module dependencies... Modified: 90-linux.hook =================================================================== --- 90-linux.hook 2019-10-11 20:33:01 UTC (rev 364657) +++ 90-linux.hook 2019-10-11 20:33:04 UTC (rev 364658) @@ -2,7 +2,7 @@ Type = File Operation = Install Operation = Upgrade -Target = boot/vmlinuz-%PKGBASE% +Target = usr/lib/modules/%KERNVER%/vmlinuz Target = usr/lib/initcpio/* [Action] Modified: PKGBUILD =================================================================== --- PKGBUILD 2019-10-11 20:33:01 UTC (rev 364657) +++ PKGBUILD 2019-10-11 20:33:04 UTC (rev 364658) @@ -2,18 +2,20 @@ pkgbase=linux-lts pkgver=4.19.79 -_srcname=linux-${pkgver} -pkgrel=1 +pkgrel=2 arch=('x86_64') url="https://www.kernel.org/" license=('GPL2') -makedepends=(xmlto kmod inetutils bc libelf python-sphinx python-sphinx_rtd_theme graphviz imagemagick) +makedepends=(xmlto kmod inetutils bc libelf python-sphinx python-sphinx_rtd_theme + graphviz imagemagick) options=('!strip') +_srcname=linux-${pkgver} source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.{xz,sign} 'config' # the main kernel config file '60-linux.hook' # pacman hook for depmod '90-linux.hook' # pacman hook for initramfs regeneration 'linux-lts.preset' # standard config files for mkinitcpio ramdisk + '0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch' ) validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds <torva...@linux-foundation.org> '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) <g...@kroah.com> @@ -22,9 +24,10 @@ sha256sums=('f1143564364f278ba0893a7813afc02da6ecef6d5de147bd5011aa3cc1634b34' 'SKIP' '328db52e866c57634cd79b59080900e39a42995408823fb04805fcaf3e0565ee' - 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' - '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' - 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65') + '452b8d4d71e1565ca91b1bebb280693549222ef51c47ba8964e411b2d461699c' + 'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636' + 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' + 'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2') _kernelname=${pkgbase#linux} : ${_kernelname:=-lts} @@ -50,8 +53,8 @@ cp ../config .config make olddefconfig - make -s kernelrelease > ../version - msg2 "Prepared %s version %s" "$pkgbase" "$(<../version)" + make -s kernelrelease > version + msg2 "Prepared %s version %s" "$pkgbase" "$(<version)" } build() { @@ -67,11 +70,10 @@ backup=("etc/mkinitcpio.d/$pkgbase.preset") install=linux-lts.install + cd $_srcname local kernver="$(<version)" local modulesdir="$pkgdir/usr/lib/modules/$kernver" - cd $_srcname - msg2 "Installing boot image..." # systemd expects to find the kernel here to allow hibernation # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344 @@ -84,13 +86,6 @@ msg2 "Installing modules..." make INSTALL_MOD_PATH="$pkgdir/usr" modules_install - # a place for external modules, - # with version file for building modules and running depmod from hook - local extramodules="extramodules$_kernelname" - local extradir="$pkgdir/usr/lib/modules/$extramodules" - install -Dt "$extradir" -m644 ../version - ln -sr "$extradir" "$modulesdir/extramodules" - # remove build and source links rm "$modulesdir"/{source,build} @@ -99,7 +94,6 @@ local subst=" s|%PKGBASE%|$pkgbase|g s|%KERNVER%|$kernver|g - s|%EXTRAMODULES%|$extramodules|g " # hack to allow specifying an initially nonexisting install file @@ -121,12 +115,12 @@ _package-headers() { pkgdesc="Header files and scripts for building modules for ${pkgbase/linux/Linux} kernel" + cd $_srcname local builddir="$pkgdir/usr/lib/modules/$(<version)/build" - cd $_srcname - msg2 "Installing build files..." - install -Dt "$builddir" -m644 Makefile .config Module.symvers System.map vmlinux + install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \ + localversion.* version vmlinux install -Dt "$builddir/kernel" -m644 kernel/Makefile install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile cp -t "$builddir" -a scripts @@ -193,7 +187,7 @@ msg2 "Adding symlink..." mkdir -p "$pkgdir/usr/src" - ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase-$pkgver" + ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase" msg2 "Fixing permissions..." chmod -Rc u=rwX,go=rX "$pkgdir" @@ -202,10 +196,9 @@ _package-docs() { pkgdesc="Kernel hackers manual - HTML documentation that comes with the ${pkgbase/linux/Linux} kernel" + cd $_srcname local builddir="$pkgdir/usr/lib/modules/$(<version)/build" - cd $_srcname - msg2 "Installing documentation..." mkdir -p "$builddir" cp -t "$builddir" -a Documentation