From 8b27c81fbddbde60634661baeb1fd475de32355b Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Thu, 22 May 2025 07:32:13 +0200
Subject: ZEN: Add config for default of unprivileged_userns_clone

---
 init/Kconfig            | 16 ++++++++++++++++
 kernel/user_namespace.c |  4 ++++
 2 files changed, 20 insertions(+)

--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1349,6 +1349,22 @@ config USER_NS
 
 	  If unsure, say N.
 
+config USER_NS_UNPRIVILEGED
+	bool "Allow unprivileged users to create namespaces"
+	default y
+	depends on USER_NS
+	help
+	  When disabled, unprivileged users will not be able to create
+	  new namespaces. Allowing users to create their own namespaces
+	  has been part of several recent local privilege escalation
+	  exploits, so if you need user namespaces but are
+	  paranoid^Wsecurity-conscious you want to disable this.
+
+	  This setting can be overridden at runtime via the
+	  kernel.unprivileged_userns_clone sysctl.
+
+	  If unsure, say Y.
+
 config PID_NS
 	bool "PID Namespaces"
 	default y
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -23,7 +23,11 @@
 #include <linux/sort.h>
 
 /* sysctl */
+#ifdef CONFIG_USER_NS_UNPRIVILEGED
 int unprivileged_userns_clone = 1;
+#else
+int unprivileged_userns_clone;
+#endif
 
 static struct kmem_cache *user_ns_cachep __ro_after_init;
 static DEFINE_MUTEX(userns_state_mutex);