add CONFIG for unprivileged_userns_clone
When disabled, unprivileged users will not be able to create new namespaces. Allowing users to create their own namespaces has been part of several recent local privilege escalation exploits, so if you need user namespaces but are paranoid^Wsecurity-conscious you want to disable this. By default unprivileged user namespaces are disabled. Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net>
This commit is contained in:
parent
bc73b233dd
commit
3080103dbe
16
init/Kconfig
16
init/Kconfig
|
@ -1178,6 +1178,22 @@ config USER_NS
|
|||
|
||||
If unsure, say N.
|
||||
|
||||
config USER_NS_UNPRIVILEGED
|
||||
bool "Allow unprivileged users to create namespaces"
|
||||
depends on USER_NS
|
||||
default n
|
||||
help
|
||||
When disabled, unprivileged users will not be able to create
|
||||
new namespaces. Allowing users to create their own namespaces
|
||||
has been part of several recent local privilege escalation
|
||||
exploits, so if you need user namespaces but are
|
||||
paranoid^Wsecurity-conscious you want to disable this.
|
||||
|
||||
This setting can be overridden at runtime via the
|
||||
kernel.unprivileged_userns_clone sysctl.
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
config PID_NS
|
||||
bool "PID Namespaces"
|
||||
default y
|
||||
|
|
|
@ -22,7 +22,11 @@
|
|||
#include <linux/sort.h>
|
||||
|
||||
/* sysctl */
|
||||
#ifdef CONFIG_USER_NS_UNPRIVILEGED
|
||||
int unprivileged_userns_clone = 1;
|
||||
#else
|
||||
int unprivileged_userns_clone;
|
||||
#endif
|
||||
|
||||
static struct kmem_cache *user_ns_cachep __read_mostly;
|
||||
static DEFINE_MUTEX(userns_state_mutex);
|
||||
|
|
Loading…
Reference in a new issue