1 files changed, 62 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..aec8930
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,62 @@
+From 25c1def33a2f74079f3062b7afdf98fcf9f34e6d Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 28 Jul 2014 16:26:53 -0700
+Subject: [PATCH] mnt: Only change user settable mount flags in remount
+commit a6138db815df5ee542d848318e5dae681590fccd upstream.
+Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
+read-only bind mount read-only in a user namespace the
+MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
+to the remount a read-only mount read-write.
+Correct this by replacing the mask of mount flags to preserve
+with a mask of mount flags that may be changed, and preserve
+all others.   This ensures that any future bugs with this mask and
+remount will fail in an easy to detect way where new mount flags
+simply won't change.
+Fix for CVE-2014-5206 and CVE-2014-5207
+Upstream-Status: backport
+Cc: stable@vger.kernel.org
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/namespace.c        | 2 +-
+ include/linux/mount.h | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 84447db..34fa7a5 100644
+--- a/fs/namespace.c
+++ b/fs/namespace.c
+@@ -1847,7 +1847,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
+                err = do_remount_sb(sb, flags, data, 0);
+        if (!err) {
+                br_write_lock(&vfsmount_lock);
+-               mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
+               mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
+                mnt->mnt.mnt_flags = mnt_flags;
+                br_write_unlock(&vfsmount_lock);
+        }
+diff --git a/include/linux/mount.h b/include/linux/mount.h
+index 38cd98f..8707c9e 100644
+--- a/include/linux/mount.h
+++ b/include/linux/mount.h
+@@ -42,7 +42,9 @@ struct mnt_namespace;
+  * flag, consider how it interacts with shared mounts.
+  */
+ #define MNT_SHARED_MASK        (MNT_UNBINDABLE)
+-#define MNT_PROPAGATION_MASK   (MNT_SHARED | MNT_UNBINDABLE)
+#define MNT_USER_SETTABLE_MASK  (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
+                                | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
+                                | MNT_READONLY)
+ 
+ 
+ #define MNT_INTERNAL   0x4000
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch new file mode 100644 index 0000000..aec8930 --- /dev/null +++ b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,62 @@
	1	From 25c1def33a2f74079f3062b7afdf98fcf9f34e6d Mon Sep 17 00:00:00 2001
	2	From: "Eric W. Biederman" <ebiederm@xmission.com>
	3	Date: Mon, 28 Jul 2014 16:26:53 -0700
	4	Subject: [PATCH] mnt: Only change user settable mount flags in remount
	5
	6	commit a6138db815df5ee542d848318e5dae681590fccd upstream.
	7
	8	Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
	9	read-only bind mount read-only in a user namespace the
	10	MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
	11	to the remount a read-only mount read-write.
	12
	13	Correct this by replacing the mask of mount flags to preserve
	14	with a mask of mount flags that may be changed, and preserve
	15	all others. This ensures that any future bugs with this mask and
	16	remount will fail in an easy to detect way where new mount flags
	17	simply won't change.
	18
	19	Fix for CVE-2014-5206 and CVE-2014-5207
	20	Upstream-Status: backport
	21
	22	Cc: stable@vger.kernel.org
	23	Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
	24	Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
	25	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
	26	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	27	---
	28	fs/namespace.c \| 2 +-
	29	include/linux/mount.h \| 4 +++-
	30	2 files changed, 4 insertions(+), 2 deletions(-)
	31
	32	diff --git a/fs/namespace.c b/fs/namespace.c
	33	index 84447db..34fa7a5 100644
	34	--- a/fs/namespace.c
	35	+++ b/fs/namespace.c
	36	@@ -1847,7 +1847,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
	37	err = do_remount_sb(sb, flags, data, 0);
	38	if (!err) {
	39	br_write_lock(&vfsmount_lock);
	40	- mnt_flags \|= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
	41	+ mnt_flags \|= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
	42	mnt->mnt.mnt_flags = mnt_flags;
	43	br_write_unlock(&vfsmount_lock);
	44	}
	45	diff --git a/include/linux/mount.h b/include/linux/mount.h
	46	index 38cd98f..8707c9e 100644
	47	--- a/include/linux/mount.h
	48	+++ b/include/linux/mount.h
	49	@@ -42,7 +42,9 @@ struct mnt_namespace;
	50	* flag, consider how it interacts with shared mounts.
	51	*/
	52	#define MNT_SHARED_MASK (MNT_UNBINDABLE)
	53	-#define MNT_PROPAGATION_MASK (MNT_SHARED \| MNT_UNBINDABLE)
	54	+#define MNT_USER_SETTABLE_MASK (MNT_NOSUID \| MNT_NODEV \| MNT_NOEXEC \
	55	+ \| MNT_NOATIME \| MNT_NODIRATIME \| MNT_RELATIME \
	56	+ \| MNT_READONLY)
	57
	58
	59	#define MNT_INTERNAL 0x4000
	60	--
	61	1.9.1
	62