diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-14 08:35:01 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-14 08:35:01 +0200 |
commit | 0ef3a56b1c466629cd0bf482b09c7b0e5a085bb5 (patch) | |
tree | 268d48a67ffeab5f11ceb604f6a7c5205f6a47e4 /fs/cachefiles/namei.c | |
parent | dfe2c6dcc8ca2cdc662d7c0473e9811b72ef3370 (diff) | |
parent | a1480dcc3c706e309a88884723446f2e84fedd5b (diff) | |
download | linux-0ef3a56b1c466629cd0bf482b09c7b0e5a085bb5.tar.bz2 |
Merge branch 'CVE-2014-7975' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux
Pull do_umount fix from Andy Lutomirski:
"This fix really ought to be safe. Inside a mountns owned by a
non-root user namespace, the namespace root almost always has
MNT_LOCKED set (if it doesn't, then there's a bug, because rootfs
could be exposed). In that case, calling umount on "/" will return
-EINVAL with or without this patch.
Outside a userns, this patch will have no effect. may_mount, required
by umount, already checks
ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN)
so an additional capable(CAP_SYS_ADMIN) check will have no effect.
That leaves anything that calls umount on "/" in a non-root userns
while chrooted. This is the case that is currently broken (it
remounts ro, which shouldn't be allowed) and that my patch changes to
-EPERM. If anything relies on *that*, I'd be surprised"
* 'CVE-2014-7975' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux:
fs: Add a missing permission check to do_umount
Diffstat (limited to 'fs/cachefiles/namei.c')
0 files changed, 0 insertions, 0 deletions