1 files changed, 62 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..b08f217
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,62 @@
+From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 28 Jul 2014 17:10:56 -0700
+Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from
+ change_mount_flags into do_remount
+commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.
+There are no races as locked mount flags are guaranteed to never change.
+Moving the test into do_remount makes it more visible, and ensures all
+filesystem remounts pass the MNT_LOCK_READONLY permission check.  This
+second case is not an issue today as filesystem remounts are guarded
+by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
+mount namespaces, but it could become an issue in the future.
+Fix for CVE-2014-5206 and CVE-2014-5207
+Upstream-Status: backport
+Cc: stable@vger.kernel.org
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/namespace.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 34fa7a5..8e90b03 100644
+--- a/fs/namespace.c
+++ b/fs/namespace.c
+@@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
+        if (readonly_request == __mnt_is_readonly(mnt))
+                return 0;
+ 
+-       if (mnt->mnt_flags & MNT_LOCK_READONLY)
+-               return -EPERM;
+-
+        if (readonly_request)
+                error = mnt_make_readonly(real_mount(mnt));
+        else
+@@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
+        if (path->dentry != path->mnt->mnt_root)
+                return -EINVAL;
+ 
+       /* Don't allow changing of locked mnt flags.
+        *
+        * No locks need to be held here while testing the various
+        * MNT_LOCK flags because those flags can never be cleared
+        * once they are set.
+        */
+       if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
+           !(mnt_flags & MNT_READONLY)) {
+               return -EPERM;
+       }
+        err = security_sb_remount(sb, data);
+        if (err)
+                return err;
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch new file mode 100644 index 0000000..b08f217 --- /dev/null +++ b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,62 @@
	1	From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001
	2	From: "Eric W. Biederman" <ebiederm@xmission.com>
	3	Date: Mon, 28 Jul 2014 17:10:56 -0700
	4	Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from
	5	change_mount_flags into do_remount
	6
	7	commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.
	8
	9	There are no races as locked mount flags are guaranteed to never change.
	10
	11	Moving the test into do_remount makes it more visible, and ensures all
	12	filesystem remounts pass the MNT_LOCK_READONLY permission check. This
	13	second case is not an issue today as filesystem remounts are guarded
	14	by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
	15	mount namespaces, but it could become an issue in the future.
	16
	17	Fix for CVE-2014-5206 and CVE-2014-5207
	18	Upstream-Status: backport
	19
	20	Cc: stable@vger.kernel.org
	21	Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
	22	Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
	23	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
	24	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	25	---
	26	fs/namespace.c \| 13 ++++++++++---
	27	1 file changed, 10 insertions(+), 3 deletions(-)
	28
	29	diff --git a/fs/namespace.c b/fs/namespace.c
	30	index 34fa7a5..8e90b03 100644
	31	--- a/fs/namespace.c
	32	+++ b/fs/namespace.c
	33	@@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
	34	if (readonly_request == __mnt_is_readonly(mnt))
	35	return 0;
	36
	37	- if (mnt->mnt_flags & MNT_LOCK_READONLY)
	38	- return -EPERM;
	39	-
	40	if (readonly_request)
	41	error = mnt_make_readonly(real_mount(mnt));
	42	else
	43	@@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
	44	if (path->dentry != path->mnt->mnt_root)
	45	return -EINVAL;
	46
	47	+ /* Don't allow changing of locked mnt flags.
	48	+ *
	49	+ * No locks need to be held here while testing the various
	50	+ * MNT_LOCK flags because those flags can never be cleared
	51	+ * once they are set.
	52	+ */
	53	+ if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
	54	+ !(mnt_flags & MNT_READONLY)) {
	55	+ return -EPERM;
	56	+ }
	57	err = security_sb_remount(sb, data);
	58	if (err)
	59	return err;
	60	--
	61	1.9.1
	62