add CONFIG for unprivileged_userns_clone

When disabled, unprivileged users will not be able to create new namespaces. Allowing users to create their own namespaces has been part of several recent local privilege escalation exploits, so if you need user namespaces but are paranoid^Wsecurity-conscious you want to disable this. By default unprivileged user namespaces are disabled. Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net>
anthraxx · Apr 4, 2020 · 104f440 · 104f440
1 parent c98a122
commit 104f440
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/init/Kconfig b/init/Kconfig
@@ -1111,6 +1111,22 @@ config USER_NS
 
 	  If unsure, say N.
 
+config USER_NS_UNPRIVILEGED
+	bool "Allow unprivileged users to create namespaces"
+	depends on USER_NS
+	default n
+	help
+	  When disabled, unprivileged users will not be able to create
+	  new namespaces. Allowing users to create their own namespaces
+	  has been part of several recent local privilege escalation
+	  exploits, so if you need user namespaces but are
+	  paranoid^Wsecurity-conscious you want to disable this.
+
+	  This setting can be overridden at runtime via the
+	  kernel.unprivileged_userns_clone sysctl.
+
+	  If unsure, say N.
+
 config PID_NS
 	bool "PID Namespaces"
 	default y

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
@@ -22,7 +22,11 @@
 #include <linux/sort.h>
 
 /* sysctl */
+#ifdef CONFIG_USER_NS_UNPRIVILEGED
+int unprivileged_userns_clone = 1;
+#else
 int unprivileged_userns_clone;
+#endif
 
 static struct kmem_cache *user_ns_cachep __read_mostly;
 static DEFINE_MUTEX(userns_state_mutex);