Linux v3.14.1-rc1

1 files changed, 44 insertions, 0 deletions

diff --git a/Revert-userns-Allow-unprivileged-users-to-create-use.patch b/Revert-userns-Allow-unprivileged-users-to-create-use.patch
new file mode 100644
index 000000000..cea6bff01
--- /dev/null
+++ b/Revert-userns-Allow-unprivileged-users-to-create-use.patch
@@ -0,0 +1,44 @@
+Bugzilla: 917708
+Upstream-status: Fedora mustard
+
+From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Wed, 13 Nov 2013 10:21:18 -0500
+Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
+ namespaces."
+
+This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
+
+Conflicts:
+	kernel/fork.c
+---
+ kernel/fork.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index f6d11fc..e04c9a7 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
+ 	long nr;
+ 
+ 	/*
++	 * Do some preliminary argument and permissions checking before we
++	 * actually start allocating stuff
++	 */
++	if (clone_flags & CLONE_NEWUSER) {
++		/* hopefully this check will go away when userns support is
++		 * complete
++		 */
++		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
++				!capable(CAP_SETGID))
++			return -EPERM;
++	}
++
++	/*
+ 	 * Determine whether and which event to report to ptracer.  When
+ 	 * called from kernel_thread or CLONE_UNTRACED is explicitly
+ 	 * requested, no event is reported; otherwise, report if the event
+-- 
+1.8.3.1
+