summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Revert-userns-Allow-unprivileged-users-to-create-use.patch41
-rw-r--r--config-generic2
-rw-r--r--kernel.spec10
-rw-r--r--keys-krb-support.patch10
4 files changed, 56 insertions, 7 deletions
diff --git a/Revert-userns-Allow-unprivileged-users-to-create-use.patch b/Revert-userns-Allow-unprivileged-users-to-create-use.patch
new file mode 100644
index 000000000..5713dbb20
--- /dev/null
+++ b/Revert-userns-Allow-unprivileged-users-to-create-use.patch
@@ -0,0 +1,41 @@
+From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Wed, 13 Nov 2013 10:21:18 -0500
+Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
+ namespaces."
+
+This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
+
+Conflicts:
+ kernel/fork.c
+---
+ kernel/fork.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index f6d11fc..e04c9a7 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
+ long nr;
+
+ /*
++ * Do some preliminary argument and permissions checking before we
++ * actually start allocating stuff
++ */
++ if (clone_flags & CLONE_NEWUSER) {
++ /* hopefully this check will go away when userns support is
++ * complete
++ */
++ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
++ !capable(CAP_SETGID))
++ return -EPERM;
++ }
++
++ /*
+ * Determine whether and which event to report to ptracer. When
+ * called from kernel_thread or CLONE_UNTRACED is explicitly
+ * requested, no event is reported; otherwise, report if the event
+--
+1.8.3.1
+
diff --git a/config-generic b/config-generic
index 490c77fa7..f80c276e1 100644
--- a/config-generic
+++ b/config-generic
@@ -61,7 +61,7 @@ CONFIG_PID_NS=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_NET_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
CONFIG_POSIX_MQUEUE=y
diff --git a/kernel.spec b/kernel.spec
index 64e279bc8..bd7da9b89 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 1
+%global baserelease 2
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -627,6 +627,9 @@ Patch530: silence-fbcon-logo.patch
Patch600: 0001-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
+#rhbz 917708
+Patch700: Revert-userns-Allow-unprivileged-users-to-create-use.patch
+
Patch800: crash-driver.patch
# crypto/
@@ -1341,6 +1344,8 @@ ApplyPatch silence-fbcon-logo.patch
# Changes to upstream defaults.
+#rhbz 917708
+ApplyPatch Revert-userns-Allow-unprivileged-users-to-create-use.patch
# /dev/crash driver.
ApplyPatch crash-driver.patch
@@ -2233,6 +2238,9 @@ fi
# ||----w |
# || ||
%changelog
+* Wed Nov 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc0.git3.2
+- Enable USER_NS for root-only processes (rhbz 917708)
+
* Wed Nov 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc0.git3.1
- Linux v3.12-7033-g42a2d92
diff --git a/keys-krb-support.patch b/keys-krb-support.patch
index 8bffaae8b..aa4752c78 100644
--- a/keys-krb-support.patch
+++ b/keys-krb-support.patch
@@ -444,7 +444,7 @@ index 13fb113..2dbc299 100644
set_cred_user_ns(new, ns);
+#ifdef CONFIG_PERSISTENT_KEYRINGS
-+ rwsem_init(&ns->persistent_keyring_register_sem);
++ init_rwsem(&ns->persistent_keyring_register_sem);
+#endif
return 0;
}
@@ -699,10 +699,10 @@ index 0000000..631a022
+ /* You can only see your own persistent cache if you're not
+ * sufficiently privileged.
+ */
-+ if (uid != current_uid() &&
-+ uid != current_suid() &&
-+ uid != current_euid() &&
-+ uid != current_fsuid() &&
++ if (!uid_eq(uid, current_uid()) &&
++ /* uid_eq(uid, current_suid()) && */
++ !uid_eq(uid, current_euid()) &&
++ /* uid_eq(uid, current_fsuid()) && */
+ !ns_capable(ns, CAP_SETUID))
+ return -EPERM;
+ }
generated by cgit (git 2.34.1) at 2024-09-25 19:31:46 +0000