diff options
author | Josh Boyer <jwboyer@redhat.com> | 2014-04-12 19:57:02 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@redhat.com> | 2014-04-12 19:57:17 -0400 |
commit | f9bb91845a30b5ec296ef6f01c9d2eca4cd0b0bb (patch) | |
tree | ae6f188c3254fa288da2b260e96c186010236a9c /Revert-userns-Allow-unprivileged-users-to-create-use.patch | |
parent | 58049b49658b32aa5195bc7517018539e6eba59c (diff) | |
download | kernel-f9bb91845a30b5ec296ef6f01c9d2eca4cd0b0bb.tar.gz kernel-f9bb91845a30b5ec296ef6f01c9d2eca4cd0b0bb.tar.xz kernel-f9bb91845a30b5ec296ef6f01c9d2eca4cd0b0bb.zip |
Linux v3.14.1-rc1
Diffstat (limited to 'Revert-userns-Allow-unprivileged-users-to-create-use.patch')
-rw-r--r-- | Revert-userns-Allow-unprivileged-users-to-create-use.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/Revert-userns-Allow-unprivileged-users-to-create-use.patch b/Revert-userns-Allow-unprivileged-users-to-create-use.patch new file mode 100644 index 000000000..cea6bff01 --- /dev/null +++ b/Revert-userns-Allow-unprivileged-users-to-create-use.patch @@ -0,0 +1,44 @@ +Bugzilla: 917708 +Upstream-status: Fedora mustard + +From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Wed, 13 Nov 2013 10:21:18 -0500 +Subject: [PATCH] Revert "userns: Allow unprivileged users to create user + namespaces." + +This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946. + +Conflicts: + kernel/fork.c +--- + kernel/fork.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/kernel/fork.c b/kernel/fork.c +index f6d11fc..e04c9a7 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags, + long nr; + + /* ++ * Do some preliminary argument and permissions checking before we ++ * actually start allocating stuff ++ */ ++ if (clone_flags & CLONE_NEWUSER) { ++ /* hopefully this check will go away when userns support is ++ * complete ++ */ ++ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) || ++ !capable(CAP_SETGID)) ++ return -EPERM; ++ } ++ ++ /* + * Determine whether and which event to report to ptracer. When + * called from kernel_thread or CLONE_UNTRACED is explicitly + * requested, no event is reported; otherwise, report if the event +-- +1.8.3.1 + |