On Fri, 2015-07-10 at 01:06 -0500, Eric W. Biederman wrote: > Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> writes: > > > On Wed, Jul 08, 2015 at 03:07:00PM -0700, Greg KH wrote: > > > On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote: > > > > Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> writes: > > > > > > > > > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote: > > > > > > > > > > > > Are: > > > > > > > > > > > > mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512 > > > > > > mnt: Modify fs_fully_visible to deal with locked ro nodev and atime 8c6cf9cc829fcd0b179b59f7fe288941d0e31108 > > > > > > > > > > > > coming? > > > > > > > > > > > > Anyone being able to remove the read-only mount status of > > > > > > proc and sysfs is scary bug. I think I have seen CVE flying > > > > > > > > > > I was going to wait for the next round of stable kernels for these > > > > > fixes, I had to draw the line somewhere. I wasn't aware there was a CVE > > > > > for this, if you think they should go in now, I'll go add them. [...] > > But a hint as to how far back they are needed would be great, they all > > don't apply cleanly and I need to know how hard I need to work on > > these for older kernel versions. > > It looks like fs_fully_visible did not come in until 3.12-rc1. So I > don't think it is reasonable to worry about backporting things farther > than 3.12-rc1. > > The infrastructure just is not in place in 3.10. 3.10 as I recall also > did not have xfs user namespace support which should have resulted in > user namespaces being disabled in most instances. But they are still applicable to 3.14, right? Greg, can you look at these again? Ben. -- Ben Hutchings Knowledge is power. France is bacon.
Attachment:
signature.asc
Description: This is a digitally signed message part