<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/namespace.c, branch linux-3.12.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>mnt: Move the clear of MNT_LOCKED from copy_tree to it's callers.</title>
<updated>2016-04-23T07:24:42+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2014-10-07T23:22:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d26388bb266798547bb0314acc1b222119c1db93'/>
<id>d26388bb266798547bb0314acc1b222119c1db93</id>
<content type='text'>
commit 8486a7882b5ba906992fd78bbfcefaae7fe285cc upstream.

Clear MNT_LOCKED in the callers of copy_tree except copy_mnt_ns, and
collect_mounts.  In copy_mnt_ns it is necessary to create an exact
copy of a mount tree, so not clearing MNT_LOCKED is important.
Similarly collect_mounts is used to take a snapshot of the mount tree
for audit logging purposes and auditing using a faithful copy of the
tree is important.

This becomes particularly significant when we start setting MNT_LOCKED
on rootfs to prevent it from being unmounted.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Acked-by: NeilBrown &lt;neilb@suse.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8486a7882b5ba906992fd78bbfcefaae7fe285cc upstream.

Clear MNT_LOCKED in the callers of copy_tree except copy_mnt_ns, and
collect_mounts.  In copy_mnt_ns it is necessary to create an exact
copy of a mount tree, so not clearing MNT_LOCKED is important.
Similarly collect_mounts is used to take a snapshot of the mount tree
for audit logging purposes and auditing using a faithful copy of the
tree is important.

This becomes particularly significant when we start setting MNT_LOCKED
on rootfs to prevent it from being unmounted.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Acked-by: NeilBrown &lt;neilb@suse.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>umount: Do not allow unmounting rootfs.</title>
<updated>2016-03-30T14:14:14+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2014-10-07T19:19:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e1ce59d23ead0fa2d3d8e1dabcce3877312a77e9'/>
<id>e1ce59d23ead0fa2d3d8e1dabcce3877312a77e9</id>
<content type='text'>
commit da362b09e42ee0bcaf0356afee6078b4f324baff upstream.

Andrew Vagin &lt;avagin@parallels.com&gt; writes:

&gt; #define _GNU_SOURCE
&gt; #include &lt;sys/types.h&gt;
&gt; #include &lt;sys/stat.h&gt;
&gt; #include &lt;fcntl.h&gt;
&gt; #include &lt;sched.h&gt;
&gt; #include &lt;unistd.h&gt;
&gt; #include &lt;sys/mount.h&gt;
&gt;
&gt; int main(int argc, char **argv)
&gt; {
&gt; 	int fd;
&gt;
&gt; 	fd = open("/proc/self/ns/mnt", O_RDONLY);
&gt; 	if (fd &lt; 0)
&gt; 	   return 1;
&gt; 	   while (1) {
&gt; 	   	 if (umount2("/", MNT_DETACH) ||
&gt; 		        setns(fd, CLONE_NEWNS))
&gt; 					break;
&gt; 					}
&gt;
&gt; 					return 0;
&gt; }
&gt;
&gt; root@ubuntu:/home/avagin# gcc -Wall nsenter.c -o nsenter
&gt; root@ubuntu:/home/avagin# strace ./nsenter
&gt; execve("./nsenter", ["./nsenter"], [/* 22 vars */]) = 0
&gt; ...
&gt; open("/proc/self/ns/mnt", O_RDONLY)     = 3
&gt; umount("/", MNT_DETACH)                 = 0
&gt; setns(3, 131072)                        = 0
&gt; umount("/", MNT_DETACH
&gt;
causes:

&gt; [  260.548301] ------------[ cut here ]------------
&gt; [  260.550941] kernel BUG at /build/buildd/linux-3.13.0/fs/pnode.c:372!
&gt; [  260.552068] invalid opcode: 0000 [#1] SMP
&gt; [  260.552068] Modules linked in: xt_CHECKSUM iptable_mangle xt_tcpudp xt_addrtype xt_conntrack ipt_MASQUERADE iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bridge stp llc dm_thin_pool dm_persistent_data dm_bufio dm_bio_prison iptable_filter ip_tables x_tables crct10dif_pclmul crc32_pclmul ghash_clmulni_intel binfmt_misc nfsd auth_rpcgss nfs_acl aesni_intel nfs lockd aes_x86_64 sunrpc fscache lrw gf128mul glue_helper ablk_helper cryptd serio_raw ppdev parport_pc lp parport btrfs xor raid6_pq libcrc32c psmouse floppy
&gt; [  260.552068] CPU: 0 PID: 1723 Comm: nsenter Not tainted 3.13.0-30-generic #55-Ubuntu
&gt; [  260.552068] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
&gt; [  260.552068] task: ffff8800376097f0 ti: ffff880074824000 task.ti: ffff880074824000
&gt; [  260.552068] RIP: 0010:[&lt;ffffffff811e9483&gt;]  [&lt;ffffffff811e9483&gt;] propagate_umount+0x123/0x130
&gt; [  260.552068] RSP: 0018:ffff880074825e98  EFLAGS: 00010246
&gt; [  260.552068] RAX: ffff88007c741140 RBX: 0000000000000002 RCX: ffff88007c741190
&gt; [  260.552068] RDX: ffff88007c741190 RSI: ffff880074825ec0 RDI: ffff880074825ec0
&gt; [  260.552068] RBP: ffff880074825eb0 R08: 00000000000172e0 R09: ffff88007fc172e0
&gt; [  260.552068] R10: ffffffff811cc642 R11: ffffea0001d59000 R12: ffff88007c741140
&gt; [  260.552068] R13: ffff88007c741140 R14: ffff88007c741140 R15: 0000000000000000
&gt; [  260.552068] FS:  00007fd5c7e41740(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
&gt; [  260.552068] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
&gt; [  260.552068] CR2: 00007fd5c7968050 CR3: 0000000070124000 CR4: 00000000000406f0
&gt; [  260.552068] Stack:
&gt; [  260.552068]  0000000000000002 0000000000000002 ffff88007c631000 ffff880074825ed8
&gt; [  260.552068]  ffffffff811dcfac ffff88007c741140 0000000000000002 ffff88007c741160
&gt; [  260.552068]  ffff880074825f38 ffffffff811dd12b ffffffff811cc642 0000000075640000
&gt; [  260.552068] Call Trace:
&gt; [  260.552068]  [&lt;ffffffff811dcfac&gt;] umount_tree+0x20c/0x260
&gt; [  260.552068]  [&lt;ffffffff811dd12b&gt;] do_umount+0x12b/0x300
&gt; [  260.552068]  [&lt;ffffffff811cc642&gt;] ? final_putname+0x22/0x50
&gt; [  260.552068]  [&lt;ffffffff811cc849&gt;] ? putname+0x29/0x40
&gt; [  260.552068]  [&lt;ffffffff811dd88c&gt;] SyS_umount+0xdc/0x100
&gt; [  260.552068]  [&lt;ffffffff8172aeff&gt;] tracesys+0xe1/0xe6
&gt; [  260.552068] Code: 89 50 08 48 8b 50 08 48 89 02 49 89 45 08 e9 72 ff ff ff 0f 1f 44 00 00 4c 89 e6 4c 89 e7 e8 f5 f6 ff ff 48 89 c3 e9 39 ff ff ff &lt;0f&gt; 0b 66 2e 0f 1f 84 00 00 00 00 00 90 66 66 66 66 90 55 b8 01
&gt; [  260.552068] RIP  [&lt;ffffffff811e9483&gt;] propagate_umount+0x123/0x130
&gt; [  260.552068]  RSP &lt;ffff880074825e98&gt;
&gt; [  260.611451] ---[ end trace 11c33d85f1d4c652 ]--

Which in practice is totally uninteresting.  Only the global root user can
do it, and it is just a stupid thing to do.

However that is no excuse to allow a silly way to oops the kernel.

We can avoid this silly problem by setting MNT_LOCKED on the rootfs
mount point and thus avoid needing any special cases in the unmount
code.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit da362b09e42ee0bcaf0356afee6078b4f324baff upstream.

Andrew Vagin &lt;avagin@parallels.com&gt; writes:

&gt; #define _GNU_SOURCE
&gt; #include &lt;sys/types.h&gt;
&gt; #include &lt;sys/stat.h&gt;
&gt; #include &lt;fcntl.h&gt;
&gt; #include &lt;sched.h&gt;
&gt; #include &lt;unistd.h&gt;
&gt; #include &lt;sys/mount.h&gt;
&gt;
&gt; int main(int argc, char **argv)
&gt; {
&gt; 	int fd;
&gt;
&gt; 	fd = open("/proc/self/ns/mnt", O_RDONLY);
&gt; 	if (fd &lt; 0)
&gt; 	   return 1;
&gt; 	   while (1) {
&gt; 	   	 if (umount2("/", MNT_DETACH) ||
&gt; 		        setns(fd, CLONE_NEWNS))
&gt; 					break;
&gt; 					}
&gt;
&gt; 					return 0;
&gt; }
&gt;
&gt; root@ubuntu:/home/avagin# gcc -Wall nsenter.c -o nsenter
&gt; root@ubuntu:/home/avagin# strace ./nsenter
&gt; execve("./nsenter", ["./nsenter"], [/* 22 vars */]) = 0
&gt; ...
&gt; open("/proc/self/ns/mnt", O_RDONLY)     = 3
&gt; umount("/", MNT_DETACH)                 = 0
&gt; setns(3, 131072)                        = 0
&gt; umount("/", MNT_DETACH
&gt;
causes:

&gt; [  260.548301] ------------[ cut here ]------------
&gt; [  260.550941] kernel BUG at /build/buildd/linux-3.13.0/fs/pnode.c:372!
&gt; [  260.552068] invalid opcode: 0000 [#1] SMP
&gt; [  260.552068] Modules linked in: xt_CHECKSUM iptable_mangle xt_tcpudp xt_addrtype xt_conntrack ipt_MASQUERADE iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bridge stp llc dm_thin_pool dm_persistent_data dm_bufio dm_bio_prison iptable_filter ip_tables x_tables crct10dif_pclmul crc32_pclmul ghash_clmulni_intel binfmt_misc nfsd auth_rpcgss nfs_acl aesni_intel nfs lockd aes_x86_64 sunrpc fscache lrw gf128mul glue_helper ablk_helper cryptd serio_raw ppdev parport_pc lp parport btrfs xor raid6_pq libcrc32c psmouse floppy
&gt; [  260.552068] CPU: 0 PID: 1723 Comm: nsenter Not tainted 3.13.0-30-generic #55-Ubuntu
&gt; [  260.552068] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
&gt; [  260.552068] task: ffff8800376097f0 ti: ffff880074824000 task.ti: ffff880074824000
&gt; [  260.552068] RIP: 0010:[&lt;ffffffff811e9483&gt;]  [&lt;ffffffff811e9483&gt;] propagate_umount+0x123/0x130
&gt; [  260.552068] RSP: 0018:ffff880074825e98  EFLAGS: 00010246
&gt; [  260.552068] RAX: ffff88007c741140 RBX: 0000000000000002 RCX: ffff88007c741190
&gt; [  260.552068] RDX: ffff88007c741190 RSI: ffff880074825ec0 RDI: ffff880074825ec0
&gt; [  260.552068] RBP: ffff880074825eb0 R08: 00000000000172e0 R09: ffff88007fc172e0
&gt; [  260.552068] R10: ffffffff811cc642 R11: ffffea0001d59000 R12: ffff88007c741140
&gt; [  260.552068] R13: ffff88007c741140 R14: ffff88007c741140 R15: 0000000000000000
&gt; [  260.552068] FS:  00007fd5c7e41740(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
&gt; [  260.552068] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
&gt; [  260.552068] CR2: 00007fd5c7968050 CR3: 0000000070124000 CR4: 00000000000406f0
&gt; [  260.552068] Stack:
&gt; [  260.552068]  0000000000000002 0000000000000002 ffff88007c631000 ffff880074825ed8
&gt; [  260.552068]  ffffffff811dcfac ffff88007c741140 0000000000000002 ffff88007c741160
&gt; [  260.552068]  ffff880074825f38 ffffffff811dd12b ffffffff811cc642 0000000075640000
&gt; [  260.552068] Call Trace:
&gt; [  260.552068]  [&lt;ffffffff811dcfac&gt;] umount_tree+0x20c/0x260
&gt; [  260.552068]  [&lt;ffffffff811dd12b&gt;] do_umount+0x12b/0x300
&gt; [  260.552068]  [&lt;ffffffff811cc642&gt;] ? final_putname+0x22/0x50
&gt; [  260.552068]  [&lt;ffffffff811cc849&gt;] ? putname+0x29/0x40
&gt; [  260.552068]  [&lt;ffffffff811dd88c&gt;] SyS_umount+0xdc/0x100
&gt; [  260.552068]  [&lt;ffffffff8172aeff&gt;] tracesys+0xe1/0xe6
&gt; [  260.552068] Code: 89 50 08 48 8b 50 08 48 89 02 49 89 45 08 e9 72 ff ff ff 0f 1f 44 00 00 4c 89 e6 4c 89 e7 e8 f5 f6 ff ff 48 89 c3 e9 39 ff ff ff &lt;0f&gt; 0b 66 2e 0f 1f 84 00 00 00 00 00 90 66 66 66 66 90 55 b8 01
&gt; [  260.552068] RIP  [&lt;ffffffff811e9483&gt;] propagate_umount+0x123/0x130
&gt; [  260.552068]  RSP &lt;ffff880074825e98&gt;
&gt; [  260.611451] ---[ end trace 11c33d85f1d4c652 ]--

Which in practice is totally uninteresting.  Only the global root user can
do it, and it is just a stupid thing to do.

However that is no excuse to allow a silly way to oops the kernel.

We can avoid this silly problem by setting MNT_LOCKED on the rootfs
mount point and thus avoid needing any special cases in the unmount
code.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vfs: Ignore unlocked mounts in fs_fully_visible</title>
<updated>2015-07-30T12:10:44+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2015-01-07T14:10:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5029d7e0b1f8fc45efdc6fad2dd688801476b505'/>
<id>5029d7e0b1f8fc45efdc6fad2dd688801476b505</id>
<content type='text'>
commit ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 upstream.

Limit the mounts fs_fully_visible considers to locked mounts.
Unlocked can always be unmounted so considering them adds hassle
but no security benefit.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 upstream.

Limit the mounts fs_fully_visible considers to locked mounts.
Unlocked can always be unmounted so considering them adds hassle
but no security benefit.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fs: namespace: suppress 'may be used uninitialized' warnings</title>
<updated>2015-06-23T17:22:28+00:00</updated>
<author>
<name>Tim Gardner</name>
<email>tim.gardner@canonical.com</email>
</author>
<published>2014-08-28T17:26:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cafc838460ca969e0f85a8462699543ba384ebed'/>
<id>cafc838460ca969e0f85a8462699543ba384ebed</id>
<content type='text'>
commit b8850d1fa8e2f6653e57daf6d08e58c5f5eb2c85 upstream.

The gcc version 4.9.1 compiler complains Even though it isn't possible for
these variables to not get initialized before they are used.

fs/namespace.c: In function ‘SyS_mount’:
fs/namespace.c:2720:8: warning: ‘kernel_dev’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  ret = do_mount(kernel_dev, kernel_dir-&gt;name, kernel_type, flags,
        ^
fs/namespace.c:2699:8: note: ‘kernel_dev’ was declared here
  char *kernel_dev;
        ^
fs/namespace.c:2720:8: warning: ‘kernel_type’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  ret = do_mount(kernel_dev, kernel_dir-&gt;name, kernel_type, flags,
        ^
fs/namespace.c:2697:8: note: ‘kernel_type’ was declared here
  char *kernel_type;
        ^

Fix the warnings by simplifying copy_mount_string() as suggested by Al Viro.

Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Tim Gardner &lt;tim.gardner@canonical.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b8850d1fa8e2f6653e57daf6d08e58c5f5eb2c85 upstream.

The gcc version 4.9.1 compiler complains Even though it isn't possible for
these variables to not get initialized before they are used.

fs/namespace.c: In function ‘SyS_mount’:
fs/namespace.c:2720:8: warning: ‘kernel_dev’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  ret = do_mount(kernel_dev, kernel_dir-&gt;name, kernel_type, flags,
        ^
fs/namespace.c:2699:8: note: ‘kernel_dev’ was declared here
  char *kernel_dev;
        ^
fs/namespace.c:2720:8: warning: ‘kernel_type’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  ret = do_mount(kernel_dev, kernel_dir-&gt;name, kernel_type, flags,
        ^
fs/namespace.c:2697:8: note: ‘kernel_type’ was declared here
  char *kernel_type;
        ^

Fix the warnings by simplifying copy_mount_string() as suggested by Al Viro.

Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Tim Gardner &lt;tim.gardner@canonical.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mnt: Fail collect_mounts when applied to unmounted mounts</title>
<updated>2015-05-26T14:26:55+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2015-01-07T20:28:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6ab282fe6d43027b3b1ef820b3798aae8fdb432b'/>
<id>6ab282fe6d43027b3b1ef820b3798aae8fdb432b</id>
<content type='text'>
commit cd4a40174b71acd021877341684d8bb1dc8ea4ae upstream.

The only users of collect_mounts are in audit_tree.c

In audit_trim_trees and audit_add_tree_rule the path passed into
collect_mounts is generated from kern_path passed an audit_tree
pathname which is guaranteed to be an absolute path.   In those cases
collect_mounts is obviously intended to work on mounted paths and
if a race results in paths that are unmounted when collect_mounts
it is reasonable to fail early.

The paths passed into audit_tag_tree don't have the absolute path
check.  But are used to play with fsnotify and otherwise interact with
the audit_trees, so again operating only on mounted paths appears
reasonable.

Avoid having to worry about what happens when we try and audit
unmounted filesystems by restricting collect_mounts to mounts
that appear in the mount tree.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cd4a40174b71acd021877341684d8bb1dc8ea4ae upstream.

The only users of collect_mounts are in audit_tree.c

In audit_trim_trees and audit_add_tree_rule the path passed into
collect_mounts is generated from kern_path passed an audit_tree
pathname which is guaranteed to be an absolute path.   In those cases
collect_mounts is obviously intended to work on mounted paths and
if a race results in paths that are unmounted when collect_mounts
it is reasonable to fail early.

The paths passed into audit_tag_tree don't have the absolute path
check.  But are used to play with fsnotify and otherwise interact with
the audit_trees, so again operating only on mounted paths appears
reasonable.

Avoid having to worry about what happens when we try and audit
unmounted filesystems by restricting collect_mounts to mounts
that appear in the mount tree.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mnt: Fix fs_fully_visible to verify the root directory is visible</title>
<updated>2015-05-16T07:12:43+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2015-05-08T21:36:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=95c021d8b720eb3ade60e98b593f38a47df039fb'/>
<id>95c021d8b720eb3ade60e98b593f38a47df039fb</id>
<content type='text'>
commit 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd upstream.

This fixes a dumb bug in fs_fully_visible that allows proc or sys to
be mounted if there is a bind mount of part of /proc/ or /sys/ visible.

Reported-by: Eric Windisch &lt;ewindisch@docker.com&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd upstream.

This fixes a dumb bug in fs_fully_visible that allows proc or sys to
be mounted if there is a bind mount of part of /proc/ or /sys/ visible.

Reported-by: Eric Windisch &lt;ewindisch@docker.com&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>umount: Disallow unprivileged mount force</title>
<updated>2015-01-07T16:55:09+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2014-10-04T21:44:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e3783a9e6f416ee140ac4ca7184f269c537593f1'/>
<id>e3783a9e6f416ee140ac4ca7184f269c537593f1</id>
<content type='text'>
commit b2f5d4dc38e034eecb7987e513255265ff9aa1cf upstream.

Forced unmount affects not just the mount namespace but the underlying
superblock as well.  Restrict forced unmount to the global root user
for now.  Otherwise it becomes possible a user in a less privileged
mount namespace to force the shutdown of a superblock of a filesystem
in a more privileged mount namespace, allowing a DOS attack on root.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b2f5d4dc38e034eecb7987e513255265ff9aa1cf upstream.

Forced unmount affects not just the mount namespace but the underlying
superblock as well.  Restrict forced unmount to the global root user
for now.  Otherwise it becomes possible a user in a less privileged
mount namespace to force the shutdown of a superblock of a filesystem
in a more privileged mount namespace, allowing a DOS attack on root.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount</title>
<updated>2015-01-07T16:55:08+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2014-08-13T08:33:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a4c2b660f35a1f1201cea27d5fbad41482b191fc'/>
<id>a4c2b660f35a1f1201cea27d5fbad41482b191fc</id>
<content type='text'>
commit 3e1866410f11356a9fd869beb3e95983dc79c067 upstream.

Now that remount is properly enforcing the rule that you can't remove
nodev at least sandstorm.io is breaking when performing a remount.

It turns out that there is an easy intuitive solution implicitly
add nodev on remount when nodev was implicitly added on mount.

Tested-by: Cedric Bosdonnat &lt;cbosdonnat@suse.com&gt;
Tested-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3e1866410f11356a9fd869beb3e95983dc79c067 upstream.

Now that remount is properly enforcing the rule that you can't remove
nodev at least sandstorm.io is breaking when performing a remount.

It turns out that there is an easy intuitive solution implicitly
add nodev on remount when nodev was implicitly added on mount.

Tested-by: Cedric Bosdonnat &lt;cbosdonnat@suse.com&gt;
Tested-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mnt: Prevent pivot_root from creating a loop in the mount tree</title>
<updated>2014-11-13T18:02:17+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2014-10-08T17:42:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=365446fe1c7bf1b481cedfb9e50cfc8a86fdde89'/>
<id>365446fe1c7bf1b481cedfb9e50cfc8a86fdde89</id>
<content type='text'>
commit 0d0826019e529f21c84687521d03f60cd241ca7d upstream.

Andy Lutomirski recently demonstrated that when chroot is used to set
the root path below the path for the new ``root'' passed to pivot_root
the pivot_root system call succeeds and leaks mounts.

In examining the code I see that starting with a new root that is
below the current root in the mount tree will result in a loop in the
mount tree after the mounts are detached and then reattached to one
another.  Resulting in all kinds of ugliness including a leak of that
mounts involved in the leak of the mount loop.

Prevent this problem by ensuring that the new mount is reachable from
the current root of the mount tree.

[Added stable cc.  Fixes CVE-2014-7970.  --Andy]

Reported-by: Andy Lutomirski &lt;luto@amacapital.net&gt;
Reviewed-by: Andy Lutomirski &lt;luto@amacapital.net&gt;
Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Andy Lutomirski &lt;luto@amacapital.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0d0826019e529f21c84687521d03f60cd241ca7d upstream.

Andy Lutomirski recently demonstrated that when chroot is used to set
the root path below the path for the new ``root'' passed to pivot_root
the pivot_root system call succeeds and leaks mounts.

In examining the code I see that starting with a new root that is
below the current root in the mount tree will result in a loop in the
mount tree after the mounts are detached and then reattached to one
another.  Resulting in all kinds of ugliness including a leak of that
mounts involved in the leak of the mount loop.

Prevent this problem by ensuring that the new mount is reachable from
the current root of the mount tree.

[Added stable cc.  Fixes CVE-2014-7970.  --Andy]

Reported-by: Andy Lutomirski &lt;luto@amacapital.net&gt;
Reviewed-by: Andy Lutomirski &lt;luto@amacapital.net&gt;
Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Andy Lutomirski &lt;luto@amacapital.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs: Add a missing permission check to do_umount</title>
<updated>2014-10-17T07:43:21+00:00</updated>
<author>
<name>Andy Lutomirski</name>
<email>luto@amacapital.net</email>
</author>
<published>2014-10-08T19:32:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8d9c8c3980a85d79db13c5ce4bb118fef32d4f50'/>
<id>8d9c8c3980a85d79db13c5ce4bb118fef32d4f50</id>
<content type='text'>
commit a1480dcc3c706e309a88884723446f2e84fedd5b upstream.

Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
only one of the two call sites was appropriately protected.

Fixes CVE-2014-7975.

Signed-off-by: Andy Lutomirski &lt;luto@amacapital.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a1480dcc3c706e309a88884723446f2e84fedd5b upstream.

Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
only one of the two call sites was appropriately protected.

Fixes CVE-2014-7975.

Signed-off-by: Andy Lutomirski &lt;luto@amacapital.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
</feed>
