On Wed, Jul 08, 2015 at 03:07:00PM -0700, Greg KH wrote: > On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote: > > Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> writes: > > > > > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote: > > >> > > >> Are: > > >> > > >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512 > > >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime 8c6cf9cc829fcd0b179b59f7fe288941d0e31108 > > >> > > >> coming? > > >> > > >> Anyone being able to remove the read-only mount status of > > >> proc and sysfs is scary bug. I think I have seen CVE flying > > > > > > I was going to wait for the next round of stable kernels for these > > > fixes, I had to draw the line somewhere. I wasn't aware there was a CVE > > > for this, if you think they should go in now, I'll go add them. > > > > I don't know about when, all I was making certain about was that the > > fixes don't get overlooked. Patches coming into stable out of the order > > they were put into my tree caused me concern that patches were being > > overlooked. > > > > As for CVEs it is the nature of the bugs I have been fixing for the last > > I don't know how long that someone will attach a CVE. *Sigh* > > > > > But wasn't there more than just these two? I see a number of patches in > > > my queue around this area that you were asking to be included in stable > > > kernels. > > > > There were two basic issues being fixed with clear security implications. > > - Ensure new mounts of proc and sysfs have the same read-only attributes > > - Making fs_fully_visible accurately ignore only filesystems mounted > > on top of proc and sysfs on dedicated directories. > > > > I was just asking about the two patches that constitute the fix for the > > first issue they are compartively simple and the issue is comparatively > > scary. > > Ok, I've started to look into applying this series. Do you think it > needs to go back to kernels older than 3.14? Or can we stop there and > just do that release and newer? > > I ask as 3.10 seems to be a bit of a pain to backport parts of it :) Ok, these are a bit much to add after a -rc1 is out, I'll queue these up after these next releases that happen in a day or so. But a hint as to how far back they are needed would be great, they all don't apply cleanly and I need to know how hard I need to work on these for older kernel versions. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html