add sysctl to disallow unprivileged CLONE_NEWUSER by default

author Serge Hallyn <serge.hallyn@canonical.com>

Fri, 31 May 2013 18:12:12 +0000 (19:12 +0100)

committer Salvatore Bonaccorso <carnil@debian.org>

Sat, 20 Dec 2025 09:15:48 +0000 (10:15 +0100)
author Serge Hallyn <serge.hallyn@canonical.com>
Fri, 31 May 2013 18:12:12 +0000 (19:12 +0100)
committer Salvatore Bonaccorso <carnil@debian.org>
Sat, 20 Dec 2025 09:15:48 +0000 (10:15 +0100)
diff --git a/kernel/fork.c b/kernel/fork.c

index bb86c57cc0d987587c102533fcd347b00a1bf769..324e2aee27cb4f6bfe5de41351294dafef41da52 100644 (file)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -123,6 +123,12 @@
  
  #include <kunit/visibility.h>
  
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#else
+#define unprivileged_userns_clone 0
+#endif
+
  /*
   * Minimum number of threads to boot the kernel
   */
@@ -1938,6 +1944,10 @@ __latent_entropy struct task_struct *copy_process(
         if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
                 return ERR_PTR(-EINVAL);
  
+       if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
+               if (!capable(CAP_SYS_ADMIN))
+                       return ERR_PTR(-EPERM);
+
         /*
          * Thread groups must share signals as well, and detached threads
          * can only be started up within the thread group.
@@ -3105,6 +3115,12 @@ int ksys_unshare(unsigned long unshare_flags)
         if (unshare_flags & CLONE_NEWNS)
                 unshare_flags |= CLONE_FS;
  
+       if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
+               err = -EPERM;
+               if (!capable(CAP_SYS_ADMIN))
+                       goto bad_unshare_out;
+       }
+
         err = check_unshare_flags(unshare_flags);
         if (err)
                 goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c

index cb6196e3fa993daa21704d190baf366084e014f7..c955e49a4b7a304d3ea3dd870c7ad42f378b9b14 100644 (file)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -36,6 +36,10 @@ EXPORT_SYMBOL_GPL(sysctl_long_vals);
  static const int ngroups_max = NGROUPS_MAX;
  static const int cap_last_cap = CAP_LAST_CAP;
  
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#endif
+
  #ifdef CONFIG_PROC_SYSCTL
  
  /**
@@ -1455,6 +1459,15 @@ int proc_do_static_key(const struct ctl_table *table, int write,
  }
  
  static const struct ctl_table sysctl_subsys_table[] = {
+#ifdef CONFIG_USER_NS
+       {
+               .procname       = "unprivileged_userns_clone",
+               .data           = &unprivileged_userns_clone,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = proc_dointvec,
+       },
+#endif
  #ifdef CONFIG_PROC_SYSCTL
         {
                 .procname       = "sysctl_writes_strict",
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c

index 682f40d5632d44b983f8b2322fdfd1f7d1d47d2c..bf265ad528f9ea3de8f31b770c07319814163028 100644 (file)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -22,6 +22,9 @@
  #include <linux/bsearch.h>
  #include <linux/sort.h>
  
+/* sysctl */
+int unprivileged_userns_clone = 1;
+
  static struct kmem_cache *user_ns_cachep __ro_after_init;
  static DEFINE_MUTEX(userns_state_mutex);
author	Serge Hallyn <serge.hallyn@canonical.com>
	Fri, 31 May 2013 18:12:12 +0000 (19:12 +0100)
committer	Salvatore Bonaccorso <carnil@debian.org>
	Sat, 20 Dec 2025 09:15:48 +0000 (10:15 +0100)
kernel/fork.c		patch \| blob \| history
kernel/sysctl.c		patch \| blob \| history
kernel/user_namespace.c		patch \| blob \| history