Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> writes: > On Wed, Jul 08, 2015 at 03:07:00PM -0700, Greg KH wrote: >> On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote: >> > Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> writes: >> > >> > > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote: >> > >> >> > >> Are: >> > >> >> > >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512 >> > >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime 8c6cf9cc829fcd0b179b59f7fe288941d0e31108 >> > >> >> > >> coming? >> > >> >> > >> Anyone being able to remove the read-only mount status of >> > >> proc and sysfs is scary bug. I think I have seen CVE flying >> > > >> > > I was going to wait for the next round of stable kernels for these >> > > fixes, I had to draw the line somewhere. I wasn't aware there was a CVE >> > > for this, if you think they should go in now, I'll go add them. >> > >> > I don't know about when, all I was making certain about was that the >> > fixes don't get overlooked. Patches coming into stable out of the order >> > they were put into my tree caused me concern that patches were being >> > overlooked. >> > >> > As for CVEs it is the nature of the bugs I have been fixing for the last >> > I don't know how long that someone will attach a CVE. *Sigh* >> > >> > > But wasn't there more than just these two? I see a number of patches in >> > > my queue around this area that you were asking to be included in stable >> > > kernels. >> > >> > There were two basic issues being fixed with clear security implications. >> > - Ensure new mounts of proc and sysfs have the same read-only attributes >> > - Making fs_fully_visible accurately ignore only filesystems mounted >> > on top of proc and sysfs on dedicated directories. >> > >> > I was just asking about the two patches that constitute the fix for the >> > first issue they are compartively simple and the issue is comparatively >> > scary. >> >> Ok, I've started to look into applying this series. Do you think it >> needs to go back to kernels older than 3.14? Or can we stop there and >> just do that release and newer? >> >> I ask as 3.10 seems to be a bit of a pain to backport parts of it :) > > Ok, these are a bit much to add after a -rc1 is out, I'll queue these up > after these next releases that happen in a day or so. No problem. > But a hint as to how far back they are needed would be great, they all > don't apply cleanly and I need to know how hard I need to work on > these for older kernel versions. It looks like fs_fully_visible did not come in until 3.12-rc1. So I don't think it is reasonable to worry about backporting things farther than 3.12-rc1. The infrastructure just is not in place in 3.10. 3.10 as I recall also did not have xfs user namespace support which should have resulted in user namespaces being disabled in most instances. Eric -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html