From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:56471 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751480AbbGIGMX (ORCPT ); Thu, 9 Jul 2015 02:12:23 -0400 Date: Wed, 8 Jul 2015 23:12:22 -0700 From: Greg KH To: "Eric W. Biederman" Cc: stable@vger.kernel.org, stable-commits@vger.kernel.org Subject: Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree Message-ID: <20150709061222.GA16657@kroah.com> References: <1436340168253173@kroah.com> <874mlebwsj.fsf@x220.int.ebiederm.org> <20150708142130.GA10625@kroah.com> <877fqaafab.fsf@x220.int.ebiederm.org> <20150708220700.GA5303@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150708220700.GA5303@kroah.com> Sender: stable-owner@vger.kernel.org List-ID: On Wed, Jul 08, 2015 at 03:07:00PM -0700, Greg KH wrote: > On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote: > > Greg KH writes: > > > > > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote: > > >> > > >> Are: > > >> > > >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512 > > >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime 8c6cf9cc829fcd0b179b59f7fe288941d0e31108 > > >> > > >> coming? > > >> > > >> Anyone being able to remove the read-only mount status of > > >> proc and sysfs is scary bug. I think I have seen CVE flying > > > > > > I was going to wait for the next round of stable kernels for these > > > fixes, I had to draw the line somewhere. I wasn't aware there was a CVE > > > for this, if you think they should go in now, I'll go add them. > > > > I don't know about when, all I was making certain about was that the > > fixes don't get overlooked. Patches coming into stable out of the order > > they were put into my tree caused me concern that patches were being > > overlooked. > > > > As for CVEs it is the nature of the bugs I have been fixing for the last > > I don't know how long that someone will attach a CVE. *Sigh* > > > > > But wasn't there more than just these two? I see a number of patches in > > > my queue around this area that you were asking to be included in stable > > > kernels. > > > > There were two basic issues being fixed with clear security implications. > > - Ensure new mounts of proc and sysfs have the same read-only attributes > > - Making fs_fully_visible accurately ignore only filesystems mounted > > on top of proc and sysfs on dedicated directories. > > > > I was just asking about the two patches that constitute the fix for the > > first issue they are compartively simple and the issue is comparatively > > scary. > > Ok, I've started to look into applying this series. Do you think it > needs to go back to kernels older than 3.14? Or can we stop there and > just do that release and newer? > > I ask as 3.10 seems to be a bit of a pain to backport parts of it :) Ok, these are a bit much to add after a -rc1 is out, I'll queue these up after these next releases that happen in a day or so. But a hint as to how far back they are needed would be great, they all don't apply cleanly and I need to know how hard I need to work on these for older kernel versions. thanks, greg k-h