summaryrefslogtreecommitdiffstats
path: root/Revert-userns-Allow-unprivileged-users-to-create-use.patch
blob: cea6bff01f80bc1ebd76d3b01e08bee28b5e3001 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Bugzilla: 917708
Upstream-status: Fedora mustard

From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Wed, 13 Nov 2013 10:21:18 -0500
Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
 namespaces."

This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.

Conflicts:
	kernel/fork.c
---
 kernel/fork.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/kernel/fork.c b/kernel/fork.c
index f6d11fc..e04c9a7 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
 	long nr;
 
 	/*
+	 * Do some preliminary argument and permissions checking before we
+	 * actually start allocating stuff
+	 */
+	if (clone_flags & CLONE_NEWUSER) {
+		/* hopefully this check will go away when userns support is
+		 * complete
+		 */
+		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
+				!capable(CAP_SETGID))
+			return -EPERM;
+	}
+
+	/*
 	 * Determine whether and which event to report to ptracer.  When
 	 * called from kernel_thread or CLONE_UNTRACED is explicitly
 	 * requested, no event is reported; otherwise, report if the event
-- 
1.8.3.1