From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out01.mta.xmission.com ([166.70.13.231]:37359 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932627AbbGHOkn (ORCPT ); Wed, 8 Jul 2015 10:40:43 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Greg KH Cc: stable@vger.kernel.org, stable-commits@vger.kernel.org References: <1436340168253173@kroah.com> <874mlebwsj.fsf@x220.int.ebiederm.org> <20150708142130.GA10625@kroah.com> Date: Wed, 08 Jul 2015 09:35:08 -0500 In-Reply-To: <20150708142130.GA10625@kroah.com> (Greg KH's message of "Wed, 8 Jul 2015 07:21:30 -0700") Message-ID: <877fqaafab.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain Subject: Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree Sender: stable-owner@vger.kernel.org List-ID: Greg KH writes: > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote: >> >> Are: >> >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512 >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime 8c6cf9cc829fcd0b179b59f7fe288941d0e31108 >> >> coming? >> >> Anyone being able to remove the read-only mount status of >> proc and sysfs is scary bug. I think I have seen CVE flying > > I was going to wait for the next round of stable kernels for these > fixes, I had to draw the line somewhere. I wasn't aware there was a CVE > for this, if you think they should go in now, I'll go add them. I don't know about when, all I was making certain about was that the fixes don't get overlooked. Patches coming into stable out of the order they were put into my tree caused me concern that patches were being overlooked. As for CVEs it is the nature of the bugs I have been fixing for the last I don't know how long that someone will attach a CVE. *Sigh* > But wasn't there more than just these two? I see a number of patches in > my queue around this area that you were asking to be included in stable > kernels. There were two basic issues being fixed with clear security implications. - Ensure new mounts of proc and sysfs have the same read-only attributes - Making fs_fully_visible accurately ignore only filesystems mounted on top of proc and sysfs on dedicated directories. I was just asking about the two patches that constitute the fix for the first issue they are compartively simple and the issue is comparatively scary. Eric