Serge Hallyn <serge.hallyn@xxxxxxxxxx> writes: > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): >> >> Kenton Varda <kenton@xxxxxxxxxxxx> discovered that by remounting a >> read-only bind mount read-only in a user namespace the >> MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user >> to the remount a read-only mount read-write. >> >> Upon review of the code in remount it was discovered that the code allowed >> nosuid, noexec, and nodev to be cleared. It was also discovered that >> the code was allowing the per mount atime flags to be changed. >> >> The first naive patch to fix these issues contained the flaw that using >> default atime settings when remounting a filesystem could be disallowed. >> >> To avoid this problems in the future add tests to ensure unprivileged >> remounts are succeeding and failing at the appropriate times. >> >> Cc: stable@xxxxxxxxxxxxxxx > > one nit below > > Acked-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxx> >> +#ifndef CLONE_NEWSNS > > Could cause build error in some places... missspelled NEW S NS above. > >> +# define CLONE_NEWNS 0x00020000 >> +#endif You are right that is an embarrassing typo. I wonder how that ever happened. I will take care of that. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
