You are not logged in.
It looks like the 6.17 archlinux patch is incomplete. In version 6.16, a few files in the kernel source were modified. It is supposed to change:
Makefile
kernel/fork.c
kernel/sysctl.c
kernel/user_namespace.c
The patch is to disallow unprivileged user namespace clone which was an out-of-tree patch recently. I am using a vanilla build from upstream for now.
diff --git a/Makefile b/Makefile
index d18dae20b7af392136e34246e70f4b638c4596e9..44e7a70b1383b3323f357806182f0feae3364a32 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
VERSION = 6
PATCHLEVEL = 16
SUBLEVEL = 1
-EXTRAVERSION =
+EXTRAVERSION = -arch1
NAME = Baby Opossum Posse
# *DOCUMENTATION*
diff --git a/kernel/fork.c b/kernel/fork.c
index 1ee8eb11f38bae1d2eb6de9494aea94b7a19e6c3..59d8c7ba6c5400aa70ebd80b2ddcc98882ae3971 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -122,6 +122,12 @@
#include <kunit/visibility.h>
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#else
+#define unprivileged_userns_clone 0
+#endif
+
/*
* Minimum number of threads to boot the kernel
*/
@@ -1933,6 +1939,10 @@ __latent_entropy struct task_struct *copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
+ if (!capable(CAP_SYS_ADMIN))
+ return ERR_PTR(-EPERM);
+
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
@@ -3099,6 +3109,12 @@ int ksys_unshare(unsigned long unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
+ err = -EPERM;
+ if (!capable(CAP_SYS_ADMIN))
+ goto bad_unshare_out;
+ }
+
err = check_unshare_flags(unshare_flags);
if (err)
goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 9b4f0cff76eaddc823065ea587760156576a8686..c388b1aa4d3d5ca8af0f8d2489b83e174e4a51fc 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -77,6 +77,10 @@ EXPORT_SYMBOL_GPL(sysctl_long_vals);
static const int ngroups_max = NGROUPS_MAX;
static const int cap_last_cap = CAP_LAST_CAP;
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#endif
+
#ifdef CONFIG_PROC_SYSCTL
/**
@@ -1581,6 +1585,15 @@ int proc_do_static_key(const struct ctl_table *table, int write,
}
static const struct ctl_table kern_table[] = {
+#ifdef CONFIG_USER_NS
+ {
+ .procname = "unprivileged_userns_clone",
+ .data = &unprivileged_userns_clone,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+#endif
#ifdef CONFIG_PROC_SYSCTL
{
.procname = "tainted",
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 682f40d5632d44b983f8b2322fdfd1f7d1d47d2c..bf265ad528f9ea3de8f31b770c07319814163028 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -22,6 +22,9 @@
#include <linux/bsearch.h>
#include <linux/sort.h>
+/* sysctl */
+int unprivileged_userns_clone = 1;
+
static struct kmem_cache *user_ns_cachep __ro_after_init;
static DEFINE_MUTEX(userns_state_mutex);Offline
Why do you believe 991f4ca add sysctl to allow disabling unprivileged CLONE_NEWUSER is incomplete rather than refactored? Can you use a user name space as an unprivileged user after setting the kernel.unprivileged_userns_clone sysctl to 0 under linux 6.17.1.arch1-1?
Offline
The patch still looks incomplete to me in 6.19 but I am not a kernel dev. I disabled Namespace support under make menuconfig in my kernel build.
Offline
Patches get revised for different versions. You don't trust what the commit message says?
[heftig: for 6.17, move all code into kernel/fork.c]Last edited by stu (2026-03-14 12:49:46)
Offline