ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER

Our default behavior continues to match the vanilla kernel.
author: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> 2019-09-16 04:53:20 +0200
committer: Jan Alexander Steffens (heftig) <heftig@archlinux.org> 2024-11-22 17:00:05 +0100
commit: 1dacd26388e88c0d78294364649360f639b21add (patch)
tree: 348ddf0f40ab784d2208767b37f12828e669fe4e /include
parent: d390303b28dabbb91b2d32016a4f72da478733b9 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 7183e5aca282..56573371a2f8 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -159,6 +159,8 @@ static inline void set_userns_rlimit_max(struct user_namespace *ns,
 
 #ifdef CONFIG_USER_NS
 
+extern int unprivileged_userns_clone;
+
 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
 {
 	if (ns)
@@ -192,6 +194,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns);
 struct ns_common *ns_get_owner(struct ns_common *ns);
 #else
 
+#define unprivileged_userns_clone 0
+
 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
 {
 	return &init_user_ns;
author	Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>	2019-09-16 04:53:20 +0200
committer	Jan Alexander Steffens (heftig) <heftig@archlinux.org>	2024-11-22 17:00:05 +0100
commit	1dacd26388e88c0d78294364649360f639b21add (patch)
tree	348ddf0f40ab784d2208767b37f12828e669fe4e /include
parent	d390303b28dabbb91b2d32016a4f72da478733b9 (diff)