kernel/Revert-userns-Allow-unprivileged-users-to-create-use.patch
2014-02-19 10:19:09 -06:00

45 lines
1.2 KiB
Diff

Bugzilla: 917708
Upstream-status: Fedora mustard
From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Wed, 13 Nov 2013 10:21:18 -0500
Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
namespaces."
This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
Conflicts:
kernel/fork.c
---
kernel/fork.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/kernel/fork.c b/kernel/fork.c
index f6d11fc..e04c9a7 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
long nr;
/*
+ * Do some preliminary argument and permissions checking before we
+ * actually start allocating stuff
+ */
+ if (clone_flags & CLONE_NEWUSER) {
+ /* hopefully this check will go away when userns support is
+ * complete
+ */
+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
+ !capable(CAP_SETGID))
+ return -EPERM;
+ }
+
+ /*
* Determine whether and which event to report to ptracer. When
* called from kernel_thread or CLONE_UNTRACED is explicitly
* requested, no event is reported; otherwise, report if the event
--
1.8.3.1