add CONFIG for unprivileged_userns_clone

When disabled, unprivileged users will not be able to create
new namespaces. Allowing users to create their own namespaces
has been part of several recent local privilege escalation
exploits, so if you need user namespaces but are
paranoid^Wsecurity-conscious you want to disable this.

By default unprivileged user namespaces are disabled.

Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net>

init/Kconfig

@@ -1178,6 +1178,22 @@ config USER_NS
 
 	  If unsure, say N.
 
+config USER_NS_UNPRIVILEGED
+	bool "Allow unprivileged users to create namespaces"
+	depends on USER_NS
+	default n
+	help
+	  When disabled, unprivileged users will not be able to create
+	  new namespaces. Allowing users to create their own namespaces
+	  has been part of several recent local privilege escalation
+	  exploits, so if you need user namespaces but are
+	  paranoid^Wsecurity-conscious you want to disable this.
+
+	  This setting can be overridden at runtime via the
+	  kernel.unprivileged_userns_clone sysctl.
+
+	  If unsure, say N.
+
 config PID_NS
 	bool "PID Namespaces"
 	default y

kernel/user_namespace.c

@@ -22,7 +22,11 @@
 #include <linux/sort.h>
 
 /* sysctl */
+#ifdef CONFIG_USER_NS_UNPRIVILEGED
+int unprivileged_userns_clone = 1;
+#else
 int unprivileged_userns_clone;
+#endif
 
 static struct kmem_cache *user_ns_cachep __read_mostly;
 static DEFINE_MUTEX(userns_state_mutex);