Add sysctl option to disallow unprivileged CLONE_NEWUSER by default
Change-Id: I3a7800a7734f8b903db3513e5ac5560d6f9c031c
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3520
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Sharath George
Tested-by: Sharath George
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
Summary: Linux API header files |
2 | 2 |
Name: linux-api-headers |
3 |
-Version: 4.9.34 |
|
3 |
+Version: 4.9.43 |
|
4 | 4 |
Release: 1%{?dist} |
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://www.kernel.org/ |
... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
11 |
-%define sha1 linux=d02dc269e67eae329043c9aa7d6c2d6182950c2f |
|
11 |
+%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 |
|
12 | 12 |
BuildArch: noarch |
13 | 13 |
%description |
14 | 14 |
The Linux API Headers expose the kernel's API for use by Glibc. |
... | ... |
@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de |
25 | 25 |
%defattr(-,root,root) |
26 | 26 |
%{_includedir}/* |
27 | 27 |
%changelog |
28 |
+* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 |
|
29 |
+- Version update |
|
28 | 30 |
* Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1 |
29 | 31 |
- Version update |
30 | 32 |
* Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1 |
31 | 33 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,93 @@ |
0 |
+From: Serge Hallyn <serge.hallyn@canonical.com> |
|
1 |
+Date: Fri, 31 May 2013 19:12:12 +0000 (+0100) |
|
2 |
+Subject: add sysctl to disallow unprivileged CLONE_NEWUSER by default |
|
3 |
+Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8 |
|
4 |
+ |
|
5 |
+add sysctl to disallow unprivileged CLONE_NEWUSER by default |
|
6 |
+ |
|
7 |
+This is a short-term patch. Unprivileged use of CLONE_NEWUSER |
|
8 |
+is certainly an intended feature of user namespaces. However |
|
9 |
+for at least saucy we want to make sure that, if any security |
|
10 |
+issues are found, we have a fail-safe. |
|
11 |
+ |
|
12 |
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> |
|
13 |
+[bwh: Remove unneeded binary sysctl bits] |
|
14 |
+--- |
|
15 |
+--- a/kernel/fork.c |
|
16 |
+@@ -87,6 +87,11 @@ |
|
17 |
+ |
|
18 |
+ #define CREATE_TRACE_POINTS |
|
19 |
+ #include <trace/events/task.h> |
|
20 |
++#ifdef CONFIG_USER_NS |
|
21 |
++extern int unprivileged_userns_clone; |
|
22 |
++#else |
|
23 |
++#define unprivileged_userns_clone 0 |
|
24 |
++#endif |
|
25 |
+ |
|
26 |
+ /* |
|
27 |
+ * Minimum number of threads to boot the kernel |
|
28 |
+@@ -1252,6 +1257,10 @@ static struct task_struct *copy_process( |
|
29 |
+ if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) |
|
30 |
+ return ERR_PTR(-EINVAL); |
|
31 |
+ |
|
32 |
++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) |
|
33 |
++ if (!capable(CAP_SYS_ADMIN)) |
|
34 |
++ return ERR_PTR(-EPERM); |
|
35 |
++ |
|
36 |
+ /* |
|
37 |
+ * Thread groups must share signals as well, and detached threads |
|
38 |
+ * can only be started up within the thread group. |
|
39 |
+@@ -1944,6 +1953,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, |
|
40 |
+ if (unshare_flags & CLONE_NEWNS) |
|
41 |
+ unshare_flags |= CLONE_FS; |
|
42 |
+ |
|
43 |
++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { |
|
44 |
++ err = -EPERM; |
|
45 |
++ if (!capable(CAP_SYS_ADMIN)) |
|
46 |
++ goto bad_unshare_out; |
|
47 |
++ } |
|
48 |
++ |
|
49 |
+ err = check_unshare_flags(unshare_flags); |
|
50 |
+ if (err) |
|
51 |
+ goto bad_unshare_out; |
|
52 |
+--- a/kernel/sysctl.c |
|
53 |
+@@ -102,6 +102,9 @@ extern int core_uses_pid; |
|
54 |
+ extern char core_pattern[]; |
|
55 |
+ extern unsigned int core_pipe_limit; |
|
56 |
+ #endif |
|
57 |
++#ifdef CONFIG_USER_NS |
|
58 |
++extern int unprivileged_userns_clone; |
|
59 |
++#endif |
|
60 |
+ extern int pid_max; |
|
61 |
+ extern int pid_max_min, pid_max_max; |
|
62 |
+ extern int percpu_pagelist_fraction; |
|
63 |
+@@ -489,6 +492,15 @@ static struct ctl_table kern_table[] = { |
|
64 |
+ .mode = 0644, |
|
65 |
+ .proc_handler = proc_dointvec, |
|
66 |
+ }, |
|
67 |
++#endif |
|
68 |
++#ifdef CONFIG_USER_NS |
|
69 |
++ { |
|
70 |
++ .procname = "unprivileged_userns_clone", |
|
71 |
++ .data = &unprivileged_userns_clone, |
|
72 |
++ .maxlen = sizeof(int), |
|
73 |
++ .mode = 0644, |
|
74 |
++ .proc_handler = proc_dointvec, |
|
75 |
++ }, |
|
76 |
+ #endif |
|
77 |
+ #ifdef CONFIG_PROC_SYSCTL |
|
78 |
+ { |
|
79 |
+--- a/kernel/user_namespace.c |
|
80 |
+@@ -23,6 +23,9 @@ |
|
81 |
+ #include <linux/projid.h> |
|
82 |
+ #include <linux/fs_struct.h> |
|
83 |
+ |
|
84 |
++/* sysctl */ |
|
85 |
++int unprivileged_userns_clone; |
|
86 |
++ |
|
87 |
+ static struct kmem_cache *user_ns_cachep __read_mostly; |
|
88 |
+ static DEFINE_MUTEX(userns_state_mutex); |
|
89 |
+ |
0 | 90 |
deleted file mode 100644 |
... | ... |
@@ -1,51 +0,0 @@ |
1 |
-From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Sabrina Dubroca <sd@queasysnail.net> |
|
3 |
-Date: Wed, 19 Jul 2017 22:28:55 +0200 |
|
4 |
-Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt |
|
5 |
- |
|
6 |
-In some cases, offset can overflow and can cause an infinite loop in |
|
7 |
-ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and |
|
8 |
-cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. |
|
9 |
- |
|
10 |
-This problem has been here since before the beginning of git history. |
|
11 |
- |
|
12 |
-Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> |
|
13 |
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> |
|
14 |
-Signed-off-by: David S. Miller <davem@davemloft.net> |
|
15 |
- net/ipv6/output_core.c | 8 ++++++-- |
|
16 |
- 1 file changed, 6 insertions(+), 2 deletions(-) |
|
17 |
- |
|
18 |
-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c |
|
19 |
-index e9065b8d3af85..abb2c307fbe83 100644 |
|
20 |
-+++ b/net/ipv6/output_core.c |
|
21 |
-@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); |
|
22 |
- |
|
23 |
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) |
|
24 |
- { |
|
25 |
-- u16 offset = sizeof(struct ipv6hdr); |
|
26 |
-+ unsigned int offset = sizeof(struct ipv6hdr); |
|
27 |
- unsigned int packet_len = skb_tail_pointer(skb) - |
|
28 |
- skb_network_header(skb); |
|
29 |
- int found_rhdr = 0; |
|
30 |
-@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) |
|
31 |
- |
|
32 |
- while (offset <= packet_len) { |
|
33 |
- struct ipv6_opt_hdr *exthdr; |
|
34 |
-+ unsigned int len; |
|
35 |
- |
|
36 |
- switch (**nexthdr) { |
|
37 |
- |
|
38 |
-@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) |
|
39 |
- |
|
40 |
- exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + |
|
41 |
- offset); |
|
42 |
-- offset += ipv6_optlen(exthdr); |
|
43 |
-+ len = ipv6_optlen(exthdr); |
|
44 |
-+ if (len + offset >= IPV6_MAXPLEN) |
|
45 |
-+ return -EINVAL; |
|
46 |
-+ offset += len; |
|
47 |
- *nexthdr = &exthdr->nexthdr; |
|
48 |
- } |
|
49 |
- |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 |
-Version: 4.9.41 |
|
5 |
-Release: 2%{?dist} |
|
4 |
+Version: 4.9.43 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=74fe70e8c119fbf67f7f131e92a45a2046ca1908 |
|
12 |
+%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 |
|
13 | 13 |
Source1: config-esx |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
# common |
... | ... |
@@ -35,8 +35,7 @@ Patch18: 05-pv-ops-clocksource.patch |
35 | 35 |
Patch19: 06-pv-ops-boot_clock.patch |
36 | 36 |
Patch20: 07-vmware-only.patch |
37 | 37 |
Patch21: vmware-balloon-late-initcall.patch |
38 |
-# Fix CVE-2017-7542 |
|
39 |
-Patch22: ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch |
|
38 |
+Patch22: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
|
40 | 39 |
BuildRequires: bc |
41 | 40 |
BuildRequires: kbd |
42 | 41 |
BuildRequires: kmod-devel |
... | ... |
@@ -190,6 +189,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
190 | 190 |
/usr/src/linux-headers-%{uname_r} |
191 | 191 |
|
192 | 192 |
%changelog |
193 |
+* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 |
|
194 |
+- Version update |
|
195 |
+- [feature] new sysctl option unprivileged_userns_clone |
|
193 | 196 |
* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2 |
194 | 197 |
- [bugfix] Do not fallback to syscall from VDSO on clock_gettime(MONOTONIC) |
195 | 198 |
- Fix CVE-2017-7542 |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 |
-Version: 4.9.41 |
|
5 |
-Release: 2%{?dist} |
|
4 |
+Version: 4.9.43 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=74fe70e8c119fbf67f7f131e92a45a2046ca1908 |
|
12 |
+%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 |
|
13 | 13 |
Source1: config-secure |
14 | 14 |
Source2: aufs4.9.tar.gz |
15 | 15 |
%define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 |
... | ... |
@@ -46,8 +46,7 @@ Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
46 | 46 |
#FIPS patches - allow some algorithms |
47 | 47 |
Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
48 | 48 |
Patch28: 0002-allow-also-ecb-cipher_null.patch |
49 |
-# Fix CVE-2017-7542 |
|
50 |
-Patch29: ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch |
|
49 |
+Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
|
51 | 50 |
# NSX requirements (should be removed) |
52 | 51 |
Patch99: LKCM.patch |
53 | 52 |
BuildRequires: bc |
... | ... |
@@ -258,6 +257,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
258 | 258 |
/usr/src/linux-headers-%{uname_r} |
259 | 259 |
|
260 | 260 |
%changelog |
261 |
+* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 |
|
262 |
+- Version update |
|
263 |
+- [feature] new sysctl option unprivileged_userns_clone |
|
261 | 264 |
* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2 |
262 | 265 |
- Fix CVE-2017-7542 |
263 | 266 |
- [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 |
-Version: 4.9.41 |
|
5 |
-Release: 2%{?dist} |
|
4 |
+Version: 4.9.43 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=74fe70e8c119fbf67f7f131e92a45a2046ca1908 |
|
12 |
+%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 |
|
13 | 13 |
Source1: config |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
%define ena_version 1.1.3 |
... | ... |
@@ -43,8 +43,7 @@ Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
43 | 43 |
#FIPS patches - allow some algorithms |
44 | 44 |
Patch24: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
45 | 45 |
Patch25: 0002-allow-also-ecb-cipher_null.patch |
46 |
-# Fix CVE-2017-7542 |
|
47 |
-Patch26: ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch |
|
46 |
+Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
|
48 | 47 |
|
49 | 48 |
BuildRequires: bc |
50 | 49 |
BuildRequires: kbd |
... | ... |
@@ -298,6 +297,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
298 | 298 |
/usr/share/doc/* |
299 | 299 |
|
300 | 300 |
%changelog |
301 |
+* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 |
|
302 |
+- Version update |
|
303 |
+- [feature] new sysctl option unprivileged_userns_clone |
|
301 | 304 |
* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2 |
302 | 305 |
- Fix CVE-2017-7542 |
303 | 306 |
- [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid |