Greg KH <[email protected]> writes: > On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote: >> >> Are: >> >> mnt: Refactor the logic for mounting sysfs and proc in a user namespace >> 1b852bceb0d111e510d1a15826ecc4a19358d512 >> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime >> 8c6cf9cc829fcd0b179b59f7fe288941d0e31108 >> >> coming? >> >> Anyone being able to remove the read-only mount status of >> proc and sysfs is scary bug. I think I have seen CVE flying > > I was going to wait for the next round of stable kernels for these > fixes, I had to draw the line somewhere. I wasn't aware there was a CVE > for this, if you think they should go in now, I'll go add them.
I don't know about when, all I was making certain about was that the fixes don't get overlooked. Patches coming into stable out of the order they were put into my tree caused me concern that patches were being overlooked. As for CVEs it is the nature of the bugs I have been fixing for the last I don't know how long that someone will attach a CVE. *Sigh* > But wasn't there more than just these two? I see a number of patches in > my queue around this area that you were asking to be included in stable > kernels. There were two basic issues being fixed with clear security implications. - Ensure new mounts of proc and sysfs have the same read-only attributes - Making fs_fully_visible accurately ignore only filesystems mounted on top of proc and sysfs on dedicated directories. I was just asking about the two patches that constitute the fix for the first issue they are compartively simple and the issue is comparatively scary. Eric -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
