Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    vfs: Ignore unlocked mounts in fs_fully_visible

to the 3.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     vfs-ignore-unlocked-mounts-in-fs_fully_visible.patch
and it can be found in the queue-3.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 Mon Sep 17 00:00:00 2001
From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Wed, 7 Jan 2015 08:10:09 -0600
Subject: vfs: Ignore unlocked mounts in fs_fully_visible

From: "Eric W. Biederman" <ebiederm@xmission.com>

commit ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 upstream.

Limit the mounts fs_fully_visible considers to locked mounts.
Unlocked can always be unmounted so considering them adds hassle
but no security benefit.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namespace.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3031,11 +3031,15 @@ bool fs_fully_visible(struct file_system
 		if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
 			continue;
 
-		/* This mount is not fully visible if there are any child mounts
-		 * that cover anything except for empty directories.
+		/* This mount is not fully visible if there are any
+		 * locked child mounts that cover anything except for
+		 * empty directories.
 		 */
 		list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
 			struct inode *inode = child->mnt_mountpoint->d_inode;
+			/* Only worry about locked mounts */
+			if (!(mnt->mnt.mnt_flags & MNT_LOCKED))
+				continue;
 			if (!S_ISDIR(inode->i_mode))
 				goto next;
 			if (inode->i_nlink > 2)


Patches currently in stable-queue which might be from ebiederm@xmission.com are

queue-3.14/vfs-ignore-unlocked-mounts-in-fs_fully_visible.patch
queue-3.14/vfs-remove-incorrect-debugging-warn-in-prepend_path.patch

Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

[Eric W. Biederman]

Are:

mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512
mnt: Modify fs_fully_visible to deal with locked ro nodev and atime     8c6cf9cc829fcd0b179b59f7fe288941d0e31108

coming?

Anyone being able to remove the read-only mount status of
proc and sysfs is scary bug.  I think I have seen CVE flying

Eric

Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

[Greg KH]

On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote:
> 
> Are:
> 
> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512
> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime     8c6cf9cc829fcd0b179b59f7fe288941d0e31108
> 
> coming?
> 
> Anyone being able to remove the read-only mount status of
> proc and sysfs is scary bug.  I think I have seen CVE flying

I was going to wait for the next round of stable kernels for these
fixes, I had to draw the line somewhere.  I wasn't aware there was a CVE
for this, if you think they should go in now, I'll go add them.

But wasn't there more than just these two?  I see a number of patches in
my queue around this area that you were asking to be included in stable
kernels.

thanks,

greg k-h

Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

[Eric W. Biederman]

Greg KH <gregkh@linuxfoundation.org> writes:

> On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote:
>> 
>> Are:
>> 
>> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512
>> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime     8c6cf9cc829fcd0b179b59f7fe288941d0e31108
>> 
>> coming?
>> 
>> Anyone being able to remove the read-only mount status of
>> proc and sysfs is scary bug.  I think I have seen CVE flying
>
> I was going to wait for the next round of stable kernels for these
> fixes, I had to draw the line somewhere.  I wasn't aware there was a CVE
> for this, if you think they should go in now, I'll go add them.

I don't know about when, all I was making certain about was that the
fixes don't get overlooked.  Patches coming into stable out of the order
they were put into my tree caused me concern that patches were being
overlooked.

As for CVEs it is the nature of the bugs I have been fixing for the last
I don't know how long that someone will attach a CVE.  *Sigh*

> But wasn't there more than just these two?  I see a number of patches in
> my queue around this area that you were asking to be included in stable
> kernels.

There were two basic issues being fixed with clear security implications.
- Ensure new mounts of proc and sysfs have the same read-only attributes
- Making fs_fully_visible accurately ignore only filesystems mounted
  on top of proc and sysfs on dedicated directories.

I was just asking about the two patches that constitute the fix for the
first issue they are compartively simple and the issue is comparatively
scary.

Eric

Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

[Greg KH]

On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote:
> Greg KH <gregkh@linuxfoundation.org> writes:
> 
> > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote:
> >> 
> >> Are:
> >> 
> >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512
> >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime     8c6cf9cc829fcd0b179b59f7fe288941d0e31108
> >> 
> >> coming?
> >> 
> >> Anyone being able to remove the read-only mount status of
> >> proc and sysfs is scary bug.  I think I have seen CVE flying
> >
> > I was going to wait for the next round of stable kernels for these
> > fixes, I had to draw the line somewhere.  I wasn't aware there was a CVE
> > for this, if you think they should go in now, I'll go add them.
> 
> I don't know about when, all I was making certain about was that the
> fixes don't get overlooked.  Patches coming into stable out of the order
> they were put into my tree caused me concern that patches were being
> overlooked.
> 
> As for CVEs it is the nature of the bugs I have been fixing for the last
> I don't know how long that someone will attach a CVE.  *Sigh*
> 
> > But wasn't there more than just these two?  I see a number of patches in
> > my queue around this area that you were asking to be included in stable
> > kernels.
> 
> There were two basic issues being fixed with clear security implications.
> - Ensure new mounts of proc and sysfs have the same read-only attributes
> - Making fs_fully_visible accurately ignore only filesystems mounted
>   on top of proc and sysfs on dedicated directories.
> 
> I was just asking about the two patches that constitute the fix for the
> first issue they are compartively simple and the issue is comparatively
> scary.

Ok, I've started to look into applying this series.  Do you think it
needs to go back to kernels older than 3.14?  Or can we stop there and
just do that release and newer?

I ask as 3.10 seems to be a bit of a pain to backport parts of it :)

thanks,

greg k-h

Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

[Greg KH]

On Wed, Jul 08, 2015 at 03:07:00PM -0700, Greg KH wrote:
> On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote:
> > Greg KH <gregkh@linuxfoundation.org> writes:
> > 
> > > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote:
> > >> 
> > >> Are:
> > >> 
> > >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512
> > >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime     8c6cf9cc829fcd0b179b59f7fe288941d0e31108
> > >> 
> > >> coming?
> > >> 
> > >> Anyone being able to remove the read-only mount status of
> > >> proc and sysfs is scary bug.  I think I have seen CVE flying
> > >
> > > I was going to wait for the next round of stable kernels for these
> > > fixes, I had to draw the line somewhere.  I wasn't aware there was a CVE
> > > for this, if you think they should go in now, I'll go add them.
> > 
> > I don't know about when, all I was making certain about was that the
> > fixes don't get overlooked.  Patches coming into stable out of the order
> > they were put into my tree caused me concern that patches were being
> > overlooked.
> > 
> > As for CVEs it is the nature of the bugs I have been fixing for the last
> > I don't know how long that someone will attach a CVE.  *Sigh*
> > 
> > > But wasn't there more than just these two?  I see a number of patches in
> > > my queue around this area that you were asking to be included in stable
> > > kernels.
> > 
> > There were two basic issues being fixed with clear security implications.
> > - Ensure new mounts of proc and sysfs have the same read-only attributes
> > - Making fs_fully_visible accurately ignore only filesystems mounted
> >   on top of proc and sysfs on dedicated directories.
> > 
> > I was just asking about the two patches that constitute the fix for the
> > first issue they are compartively simple and the issue is comparatively
> > scary.
> 
> Ok, I've started to look into applying this series.  Do you think it
> needs to go back to kernels older than 3.14?  Or can we stop there and
> just do that release and newer?
> 
> I ask as 3.10 seems to be a bit of a pain to backport parts of it :)

Ok, these are a bit much to add after a -rc1 is out, I'll queue these up
after these next releases that happen in a day or so.

But a hint as to how far back they are needed would be great, they all
don't apply cleanly and I need to know how hard I need to work on
these for older kernel versions.

thanks,

greg k-h

Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

[Eric W. Biederman]

Greg KH <gregkh@linuxfoundation.org> writes:

> On Wed, Jul 08, 2015 at 03:07:00PM -0700, Greg KH wrote:
>> On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote:
>> > Greg KH <gregkh@linuxfoundation.org> writes:
>> > 
>> > > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote:
>> > >> 
>> > >> Are:
>> > >> 
>> > >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512
>> > >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime     8c6cf9cc829fcd0b179b59f7fe288941d0e31108
>> > >> 
>> > >> coming?
>> > >> 
>> > >> Anyone being able to remove the read-only mount status of
>> > >> proc and sysfs is scary bug.  I think I have seen CVE flying
>> > >
>> > > I was going to wait for the next round of stable kernels for these
>> > > fixes, I had to draw the line somewhere.  I wasn't aware there was a CVE
>> > > for this, if you think they should go in now, I'll go add them.
>> > 
>> > I don't know about when, all I was making certain about was that the
>> > fixes don't get overlooked.  Patches coming into stable out of the order
>> > they were put into my tree caused me concern that patches were being
>> > overlooked.
>> > 
>> > As for CVEs it is the nature of the bugs I have been fixing for the last
>> > I don't know how long that someone will attach a CVE.  *Sigh*
>> > 
>> > > But wasn't there more than just these two?  I see a number of patches in
>> > > my queue around this area that you were asking to be included in stable
>> > > kernels.
>> > 
>> > There were two basic issues being fixed with clear security implications.
>> > - Ensure new mounts of proc and sysfs have the same read-only attributes
>> > - Making fs_fully_visible accurately ignore only filesystems mounted
>> >   on top of proc and sysfs on dedicated directories.
>> > 
>> > I was just asking about the two patches that constitute the fix for the
>> > first issue they are compartively simple and the issue is comparatively
>> > scary.
>> 
>> Ok, I've started to look into applying this series.  Do you think it
>> needs to go back to kernels older than 3.14?  Or can we stop there and
>> just do that release and newer?
>> 
>> I ask as 3.10 seems to be a bit of a pain to backport parts of it :)
>
> Ok, these are a bit much to add after a -rc1 is out, I'll queue these up
> after these next releases that happen in a day or so.

No problem.

> But a hint as to how far back they are needed would be great, they all
> don't apply cleanly and I need to know how hard I need to work on
> these for older kernel versions.

It looks like fs_fully_visible did not come in until 3.12-rc1.  So I
don't think it is reasonable to worry about backporting things farther
than 3.12-rc1.

The infrastructure just is not in place in 3.10.  3.10 as I recall also
did not have xfs user namespace support which should have resulted in
user namespaces being disabled in most instances.

Eric

Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1865 bytes --]

On Fri, 2015-07-10 at 01:06 -0500, Eric W. Biederman wrote:
> Greg KH <gregkh@linuxfoundation.org> writes:
> 
> > On Wed, Jul 08, 2015 at 03:07:00PM -0700, Greg KH wrote:
> > > On Wed, Jul 08, 2015 at 09:35:08AM -0500, Eric W. Biederman wrote:
> > > > Greg KH <gregkh@linuxfoundation.org> writes:
> > > > 
> > > > > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote:
> > > > > > 
> > > > > > Are:
> > > > > > 
> > > > > > mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512
> > > > > > mnt: Modify fs_fully_visible to deal with locked ro nodev and atime     8c6cf9cc829fcd0b179b59f7fe288941d0e31108
> > > > > > 
> > > > > > coming?
> > > > > > 
> > > > > > Anyone being able to remove the read-only mount status of
> > > > > > proc and sysfs is scary bug.  I think I have seen CVE flying
> > > > > 
> > > > > I was going to wait for the next round of stable kernels for these
> > > > > fixes, I had to draw the line somewhere.  I wasn't aware there was a CVE
> > > > > for this, if you think they should go in now, I'll go add them.
[...]
> > But a hint as to how far back they are needed would be great, they all
> > don't apply cleanly and I need to know how hard I need to work on
> > these for older kernel versions.
> 
> It looks like fs_fully_visible did not come in until 3.12-rc1.  So I
> don't think it is reasonable to worry about backporting things farther
> than 3.12-rc1.
> 
> The infrastructure just is not in place in 3.10.  3.10 as I recall also
> did not have xfs user namespace support which should have resulted in
> user namespaces being disabled in most instances.

But they are still applicable to 3.14, right?   Greg, can you look at
these again?

Ben.

-- 
Ben Hutchings
Knowledge is power.  France is bacon.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]