diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2016-01-15 17:30:44 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2016-01-15 17:30:44 +0100 |
commit | 7a99472f8509aad0799895d75e1326b76d332e21 (patch) | |
tree | 52e2e907a4bccafd45b248f1354b8093e6652253 /recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch | |
download | meta-fsl-ppc-7a99472f8509aad0799895d75e1326b76d332e21.tar.gz |
initial commit for Enea Linux 5.0-ppc
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch')
-rw-r--r-- | recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch new file mode 100644 index 0000000..aa5ca1b --- /dev/null +++ b/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch | |||
@@ -0,0 +1,137 @@ | |||
1 | From 8b18c0adbc5d0cb1530692e72bcfb88fd7bb77bb Mon Sep 17 00:00:00 2001 | ||
2 | From: "Eric W. Biederman" <ebiederm@xmission.com> | ||
3 | Date: Mon, 28 Jul 2014 17:26:07 -0700 | ||
4 | Subject: [PATCH] mnt: Correct permission checks in do_remount | ||
5 | |||
6 | commit 9566d6742852c527bf5af38af5cbb878dad75705 upstream. | ||
7 | |||
8 | While invesgiating the issue where in "mount --bind -oremount,ro ..." | ||
9 | would result in later "mount --bind -oremount,rw" succeeding even if | ||
10 | the mount started off locked I realized that there are several | ||
11 | additional mount flags that should be locked and are not. | ||
12 | |||
13 | In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime | ||
14 | flags in addition to MNT_READONLY should all be locked. These | ||
15 | flags are all per superblock, can all be changed with MS_BIND, | ||
16 | and should not be changable if set by a more privileged user. | ||
17 | |||
18 | The following additions to the current logic are added in this patch. | ||
19 | - nosuid may not be clearable by a less privileged user. | ||
20 | - nodev may not be clearable by a less privielged user. | ||
21 | - noexec may not be clearable by a less privileged user. | ||
22 | - atime flags may not be changeable by a less privileged user. | ||
23 | |||
24 | The logic with atime is that always setting atime on access is a | ||
25 | global policy and backup software and auditing software could break if | ||
26 | atime bits are not updated (when they are configured to be updated), | ||
27 | and serious performance degradation could result (DOS attack) if atime | ||
28 | updates happen when they have been explicitly disabled. Therefore an | ||
29 | unprivileged user should not be able to mess with the atime bits set | ||
30 | by a more privileged user. | ||
31 | |||
32 | The additional restrictions are implemented with the addition of | ||
33 | MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME | ||
34 | mnt flags. | ||
35 | |||
36 | Taken together these changes and the fixes for MNT_LOCK_READONLY | ||
37 | should make it safe for an unprivileged user to create a user | ||
38 | namespace and to call "mount --bind -o remount,... ..." without | ||
39 | the danger of mount flags being changed maliciously. | ||
40 | |||
41 | Fix for CVE-2014-5206 and CVE-2014-5207 | ||
42 | Upstream-Status: backport | ||
43 | |||
44 | Cc: stable@vger.kernel.org | ||
45 | Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> | ||
46 | Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> | ||
47 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
48 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
49 | --- | ||
50 | fs/namespace.c | 36 +++++++++++++++++++++++++++++++++--- | ||
51 | include/linux/mount.h | 5 +++++ | ||
52 | 2 files changed, 38 insertions(+), 3 deletions(-) | ||
53 | |||
54 | diff --git a/fs/namespace.c b/fs/namespace.c | ||
55 | index 8e90b03..7c67de8 100644 | ||
56 | --- a/fs/namespace.c | ||
57 | +++ b/fs/namespace.c | ||
58 | @@ -827,8 +827,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root, | ||
59 | |||
60 | mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~MNT_WRITE_HOLD; | ||
61 | /* Don't allow unprivileged users to change mount flags */ | ||
62 | - if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY)) | ||
63 | - mnt->mnt.mnt_flags |= MNT_LOCK_READONLY; | ||
64 | + if (flag & CL_UNPRIVILEGED) { | ||
65 | + mnt->mnt.mnt_flags |= MNT_LOCK_ATIME; | ||
66 | + | ||
67 | + if (mnt->mnt.mnt_flags & MNT_READONLY) | ||
68 | + mnt->mnt.mnt_flags |= MNT_LOCK_READONLY; | ||
69 | + | ||
70 | + if (mnt->mnt.mnt_flags & MNT_NODEV) | ||
71 | + mnt->mnt.mnt_flags |= MNT_LOCK_NODEV; | ||
72 | + | ||
73 | + if (mnt->mnt.mnt_flags & MNT_NOSUID) | ||
74 | + mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID; | ||
75 | + | ||
76 | + if (mnt->mnt.mnt_flags & MNT_NOEXEC) | ||
77 | + mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC; | ||
78 | + } | ||
79 | |||
80 | /* Don't allow unprivileged users to reveal what is under a mount */ | ||
81 | if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire)) | ||
82 | @@ -1841,6 +1854,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags, | ||
83 | !(mnt_flags & MNT_READONLY)) { | ||
84 | return -EPERM; | ||
85 | } | ||
86 | + if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) && | ||
87 | + !(mnt_flags & MNT_NODEV)) { | ||
88 | + return -EPERM; | ||
89 | + } | ||
90 | + if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) && | ||
91 | + !(mnt_flags & MNT_NOSUID)) { | ||
92 | + return -EPERM; | ||
93 | + } | ||
94 | + if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) && | ||
95 | + !(mnt_flags & MNT_NOEXEC)) { | ||
96 | + return -EPERM; | ||
97 | + } | ||
98 | + if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) && | ||
99 | + ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) { | ||
100 | + return -EPERM; | ||
101 | + } | ||
102 | + | ||
103 | err = security_sb_remount(sb, data); | ||
104 | if (err) | ||
105 | return err; | ||
106 | @@ -2043,7 +2073,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags, | ||
107 | */ | ||
108 | if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) { | ||
109 | flags |= MS_NODEV; | ||
110 | - mnt_flags |= MNT_NODEV; | ||
111 | + mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV; | ||
112 | } | ||
113 | } | ||
114 | |||
115 | diff --git a/include/linux/mount.h b/include/linux/mount.h | ||
116 | index 8707c9e..22e5b96 100644 | ||
117 | --- a/include/linux/mount.h | ||
118 | +++ b/include/linux/mount.h | ||
119 | @@ -45,10 +45,15 @@ struct mnt_namespace; | ||
120 | #define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \ | ||
121 | | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \ | ||
122 | | MNT_READONLY) | ||
123 | +#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME ) | ||
124 | |||
125 | |||
126 | #define MNT_INTERNAL 0x4000 | ||
127 | |||
128 | +#define MNT_LOCK_ATIME 0x040000 | ||
129 | +#define MNT_LOCK_NOEXEC 0x080000 | ||
130 | +#define MNT_LOCK_NOSUID 0x100000 | ||
131 | +#define MNT_LOCK_NODEV 0x200000 | ||
132 | #define MNT_LOCK_READONLY 0x400000 | ||
133 | #define MNT_LOCKED 0x800000 | ||
134 | |||
135 | -- | ||
136 | 1.9.1 | ||
137 | |||