On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote: > Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> writes: > > > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote: > >> > >> Are: > >> > >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512 > >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime 8c6cf9cc829fcd0b179b59f7fe288941d0e31108 > >> > >> coming? > >> > >> Anyone being able to remove the read-only mount status of > >> proc and sysfs is scary bug. I think I have seen CVE flying > > > > I was going to wait for the next round of stable kernels for these > > fixes, I had to draw the line somewhere. I wasn't aware there was a CVE > > for this, if you think they should go in now, I'll go add them. > > I don't know about when, all I was making certain about was that the > fixes don't get overlooked. Patches coming into stable out of the order > they were put into my tree caused me concern that patches were being > overlooked. > > As for CVEs it is the nature of the bugs I have been fixing for the last > I don't know how long that someone will attach a CVE. *Sigh* > > > But wasn't there more than just these two? I see a number of patches in > > my queue around this area that you were asking to be included in stable > > kernels. > > There were two basic issues being fixed with clear security implications. > - Ensure new mounts of proc and sysfs have the same read-only attributes > - Making fs_fully_visible accurately ignore only filesystems mounted > on top of proc and sysfs on dedicated directories. > > I was just asking about the two patches that constitute the fix for the > first issue they are compartively simple and the issue is comparatively > scary. Ok, I've started to look into applying this series. Do you think it needs to go back to kernels older than 3.14? Or can we stop there and just do that release and newer? I ask as 3.10 seems to be a bit of a pain to backport parts of it :) thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html