Arch's 6.7.x linux kernel patchset

slytux · 2024-02-08 21:07:12

I saw that Arch is maintaining a patchset that is applied on the 6.7.x series. I am posting an old one that was previously maintained because it seems like there could be a security issue or vector unpatched.

The file was 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch

From ee91df95bf010fad44be5d2564e7d40038987f19 Mon Sep 17 00:00:00 2001
Message-Id: <ee91df95bf010fad44be5d2564e7d40038987f19.1527290717.git.jan.steffens@gmail.com>
From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Fri, 31 May 2013 19:12:12 +0100
Subject: [PATCH 1/3] add sysctl to disallow unprivileged CLONE_NEWUSER by
 default

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
[bwh: Remove unneeded binary sysctl bits]
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
---
 kernel/fork.c           | 15 +++++++++++++++
 kernel/sysctl.c         | 12 ++++++++++++
 kernel/user_namespace.c |  3 +++
 3 files changed, 30 insertions(+)

diff --git a/kernel/fork.c b/kernel/fork.c
index e5d9d405ae4e..c4be89c51f25 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -103,6 +103,11 @@
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/task.h>
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#else
+#define unprivileged_userns_clone 0
+#endif
 
 /*
  * Minimum number of threads to boot the kernel
@@ -1591,6 +1596,10 @@ static __latent_entropy struct task_struct *copy_process(
 	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
 		return ERR_PTR(-EINVAL);
 
+	if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
+		if (!capable(CAP_SYS_ADMIN))
+			return ERR_PTR(-EPERM);
+
 	/*
 	 * Thread groups must share signals as well, and detached threads
 	 * can only be started up within the thread group.
@@ -2385,6 +2394,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
 	if (unshare_flags & CLONE_NEWNS)
 		unshare_flags |= CLONE_FS;
 
+	if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
+		err = -EPERM;
+		if (!capable(CAP_SYS_ADMIN))
+			goto bad_unshare_out;
+	}
+
 	err = check_unshare_flags(unshare_flags);
 	if (err)
 		goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index f98f28c12020..7256d339a32a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -105,6 +105,9 @@ extern int core_uses_pid;
 extern char core_pattern[];
 extern unsigned int core_pipe_limit;
 #endif
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#endif
 extern int pid_max;
 extern int pid_max_min, pid_max_max;
 extern int percpu_pagelist_fraction;
@@ -515,6 +518,15 @@ static struct ctl_table kern_table[] = {
 		.proc_handler	= proc_dointvec,
 	},
 #endif
+#ifdef CONFIG_USER_NS
+	{
+		.procname	= "unprivileged_userns_clone",
+		.data		= &unprivileged_userns_clone,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec,
+	},
+#endif
 #ifdef CONFIG_PROC_SYSCTL
 	{
 		.procname	= "tainted",
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 246d4d4ce5c7..f64432b45cec 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -26,6 +26,9 @@
 #include <linux/bsearch.h>
 #include <linux/sort.h>
 
+/* sysctl */
+int unprivileged_userns_clone;
+
 static struct kmem_cache *user_ns_cachep __read_mostly;
 static DEFINE_MUTEX(userns_state_mutex);
 
-- 
2.17.0

Last edited by slytux (2024-02-08 22:02:41)

V1del · 2024-02-08 21:18:56

Please wrap outputs in code tags... what security issue are you asserting/talking about? Are you just virtue signaling or do you know an actual problem here? The purpose is pretty tame, to allow a sysctl option to disable usernamespaces (primarily relevant for dockers and cgroups et all) and if you want to disable that without having to recompile the kernel, the problems of (dis-)enabling that being discussed in https://wiki.archlinux.org/title/Securi … plications (and read the linked bug reports)

The other patchsets are the nvidia-drm hack to implicitly disable the simpledrm device, which is pretty important for people on nvidia gpus so they can get rid of the simpledrm device that's prone to confusing monitor listings at no benefit[1]. And the third is an actual security enhancement patch to increase randomization bits on ALSR to fix a reported potential security issue[2]

[1] https://github.com/archlinux/linux/comm … 1b27272908
[2] https://github.com/archlinux/linux/comm … da3c65e2a5

What exactly is your question here? Do you want to know why those are being applied -- and if so did the above answer your question?

Last edited by V1del (2024-02-08 21:26:47)

seth · 2024-02-08 22:53:46

an old one that was previously maintained because it seems like there could be a security issue or vector unpatched

@slytux, do you concern anything about the specific patch or did you miss that the patch itself is part of the applied https://github.com/archlinux/linux/rele … .patch.zst ?

slytux · 2024-02-09 19:08:58

It should be part of Arch's patchset if it hasn't been merged upstream. It used to apply cleanly on a 5.x series kernel.

loqs · 2024-02-09 19:12:26

slytux wrote:

It should be part of Arch's patchset if it hasn't been merged upstream. It used to apply cleanly on a 5.x series kernel.

See seth's comment.
Edit:
If the patch was not being applied the sysctl would not be being added. Are you unable to use the sysctl with the 6.7.x series?

Last edited by loqs (2024-02-09 19:14:03)

Arch Linux

#1 2024-02-08 21:07:12

Arch's 6.7.x linux kernel patchset

#2 2024-02-08 21:18:56

Re: Arch's 6.7.x linux kernel patchset

#3 2024-02-08 22:53:46

Re: Arch's 6.7.x linux kernel patchset

#4 2024-02-09 19:08:58

Re: Arch's 6.7.x linux kernel patchset

#5 2024-02-09 19:12:26

Re: Arch's 6.7.x linux kernel patchset

Board footer