1 files changed, 64 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..8cd4b13
--- /dev/null
+++ b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,64 @@
+From fafbc9412b8f2dae04bc3ca233ae7b49482c8df8 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 28 Jul 2014 17:36:04 -0700
+Subject: [PATCH] mnt: Change the default remount atime from relatime to the
+ existing value
+commit ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e upstream.
+Since March 2009 the kernel has treated the state that if no
+MS_..ATIME flags are passed then the kernel defaults to relatime.
+Defaulting to relatime instead of the existing atime state during a
+remount is silly, and causes problems in practice for people who don't
+specify any MS_...ATIME flags and to get the default filesystem atime
+setting.  Those users may encounter a permission error because the
+default atime setting does not work.
+A default that does not work and causes permission problems is
+ridiculous, so preserve the existing value to have a default
+atime setting that is always guaranteed to work.
+Using the default atime setting in this way is particularly
+interesting for applications built to run in restricted userspace
+environments without /proc mounted, as the existing atime mount
+options of a filesystem can not be read from /proc/mounts.
+In practice this fixes user space that uses the default atime
+setting on remount that are broken by the permission checks
+keeping less privileged users from changing more privileged users
+atime settings.
+Fix for CVE-2014-5206 and CVE-2014-5207
+Upstream-Status: backport
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/namespace.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 7c67de8..4ea2b73 100644
+--- a/fs/namespace.c
+++ b/fs/namespace.c
+@@ -2391,6 +2391,14 @@ long do_mount(const char *dev_name, const char *dir_name,
+        if (flags & MS_RDONLY)
+                mnt_flags |= MNT_READONLY;
+ 
+       /* The default atime for remount is preservation */
+       if ((flags & MS_REMOUNT) &&
+           ((flags & (MS_NOATIME | MS_NODIRATIME | MS_RELATIME |
+                      MS_STRICTATIME)) == 0)) {
+               mnt_flags &= ~MNT_ATIME_MASK;
+               mnt_flags |= path.mnt->mnt_flags & MNT_ATIME_MASK;
+       }
+
+        flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN |
+                   MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
+                   MS_STRICTATIME);
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch new file mode 100644 index 0000000..8cd4b13 --- /dev/null +++ b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,64 @@
	1	From fafbc9412b8f2dae04bc3ca233ae7b49482c8df8 Mon Sep 17 00:00:00 2001
	2	From: "Eric W. Biederman" <ebiederm@xmission.com>
	3	Date: Mon, 28 Jul 2014 17:36:04 -0700
	4	Subject: [PATCH] mnt: Change the default remount atime from relatime to the
	5	existing value
	6
	7	commit ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e upstream.
	8
	9	Since March 2009 the kernel has treated the state that if no
	10	MS_..ATIME flags are passed then the kernel defaults to relatime.
	11
	12	Defaulting to relatime instead of the existing atime state during a
	13	remount is silly, and causes problems in practice for people who don't
	14	specify any MS_...ATIME flags and to get the default filesystem atime
	15	setting. Those users may encounter a permission error because the
	16	default atime setting does not work.
	17
	18	A default that does not work and causes permission problems is
	19	ridiculous, so preserve the existing value to have a default
	20	atime setting that is always guaranteed to work.
	21
	22	Using the default atime setting in this way is particularly
	23	interesting for applications built to run in restricted userspace
	24	environments without /proc mounted, as the existing atime mount
	25	options of a filesystem can not be read from /proc/mounts.
	26
	27	In practice this fixes user space that uses the default atime
	28	setting on remount that are broken by the permission checks
	29	keeping less privileged users from changing more privileged users
	30	atime settings.
	31
	32	Fix for CVE-2014-5206 and CVE-2014-5207
	33	Upstream-Status: backport
	34
	35	Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
	36	Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
	37	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
	38	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	39	---
	40	fs/namespace.c \| 8 ++++++++
	41	1 file changed, 8 insertions(+)
	42
	43	diff --git a/fs/namespace.c b/fs/namespace.c
	44	index 7c67de8..4ea2b73 100644
	45	--- a/fs/namespace.c
	46	+++ b/fs/namespace.c
	47	@@ -2391,6 +2391,14 @@ long do_mount(const char dev_name, const char dir_name,
	48	if (flags & MS_RDONLY)
	49	mnt_flags \|= MNT_READONLY;
	50
	51	+ /* The default atime for remount is preservation */
	52	+ if ((flags & MS_REMOUNT) &&
	53	+ ((flags & (MS_NOATIME \| MS_NODIRATIME \| MS_RELATIME \|
	54	+ MS_STRICTATIME)) == 0)) {
	55	+ mnt_flags &= ~MNT_ATIME_MASK;
	56	+ mnt_flags \|= path.mnt->mnt_flags & MNT_ATIME_MASK;
	57	+ }
	58	+
	59	flags &= ~(MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_ACTIVE \| MS_BORN \|
	60	MS_NOATIME \| MS_NODIRATIME \| MS_RELATIME\| MS_KERNMOUNT \|
	61	MS_STRICTATIME);
	62	--
	63	1.9.1
	64