This is a note to let you know that I've just added the patch titled proc: Restrict mounting the proc filesystem to the 3.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: proc-restrict-mounting-the-proc-filesystem.patch and it can be found in the queue-3.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From aee1c13dd0f6c2fc56e0e492b349ee8ac655880f Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Date: Mon, 25 Mar 2013 19:57:10 -0700 Subject: proc: Restrict mounting the proc filesystem From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> commit aee1c13dd0f6c2fc56e0e492b349ee8ac655880f upstream. Don't allow mounting the proc filesystem unless the caller has CAP_SYS_ADMIN rights over the pid namespace. The principle here is if you create or have capabilities over it you can mount it, otherwise you get to live with what other people have mounted. Andy pointed out that this is needed to prevent users in a user namespace from remounting proc and specifying different hidepid and gid options on already existing proc mounts. Reported-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/proc/root.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct ns = task_active_pid_ns(current); options = data; - if (!current_user_ns()->may_mount_proc) + if (!current_user_ns()->may_mount_proc || + !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) return ERR_PTR(-EPERM); } Patches currently in stable-queue which might be from ebiederm@xxxxxxxxxxxx are queue-3.10/pidns-fix-hang-in-zap_pid_ns_processes-by-sending-a-potentially-extra-wakeup.patch queue-3.10/proc-restrict-mounting-the-proc-filesystem.patch queue-3.10/pidns-fix-vfork-after-unshare-clone_newpid.patch queue-3.10/net-check-the-correct-namespace-when-spoofing-pid-over-scm_rights.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html