50 lines
1.4 KiB
Diff
50 lines
1.4 KiB
Diff
From 8b27c81fbddbde60634661baeb1fd475de32355b Mon Sep 17 00:00:00 2001
|
|
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
|
|
Date: Thu, 22 May 2025 07:32:13 +0200
|
|
Subject: ZEN: Add config for default of unprivileged_userns_clone
|
|
|
|
---
|
|
init/Kconfig | 16 ++++++++++++++++
|
|
kernel/user_namespace.c | 4 ++++
|
|
2 files changed, 20 insertions(+)
|
|
|
|
--- a/init/Kconfig
|
|
+++ b/init/Kconfig
|
|
@@ -1349,6 +1349,22 @@ config USER_NS
|
|
|
|
If unsure, say N.
|
|
|
|
+config USER_NS_UNPRIVILEGED
|
|
+ bool "Allow unprivileged users to create namespaces"
|
|
+ default y
|
|
+ depends on USER_NS
|
|
+ help
|
|
+ When disabled, unprivileged users will not be able to create
|
|
+ new namespaces. Allowing users to create their own namespaces
|
|
+ has been part of several recent local privilege escalation
|
|
+ exploits, so if you need user namespaces but are
|
|
+ paranoid^Wsecurity-conscious you want to disable this.
|
|
+
|
|
+ This setting can be overridden at runtime via the
|
|
+ kernel.unprivileged_userns_clone sysctl.
|
|
+
|
|
+ If unsure, say Y.
|
|
+
|
|
config PID_NS
|
|
bool "PID Namespaces"
|
|
default y
|
|
--- a/kernel/user_namespace.c
|
|
+++ b/kernel/user_namespace.c
|
|
@@ -23,7 +23,11 @@
|
|
#include <linux/sort.h>
|
|
|
|
/* sysctl */
|
|
+#ifdef CONFIG_USER_NS_UNPRIVILEGED
|
|
int unprivileged_userns_clone = 1;
|
|
+#else
|
|
+int unprivileged_userns_clone;
|
|
+#endif
|
|
|
|
static struct kmem_cache *user_ns_cachep __ro_after_init;
|
|
static DEFINE_MUTEX(userns_state_mutex);
|