summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch62
-rw-r--r--recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch62
-rw-r--r--recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch137
-rw-r--r--recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch64
-rw-r--r--recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch324
-rw-r--r--recipes-kernel/linux/linux-qoriq_3.12.bb5
6 files changed, 654 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..aec8930
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,62 @@
1From 25c1def33a2f74079f3062b7afdf98fcf9f34e6d Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 16:26:53 -0700
4Subject: [PATCH] mnt: Only change user settable mount flags in remount
5
6commit a6138db815df5ee542d848318e5dae681590fccd upstream.
7
8Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
9read-only bind mount read-only in a user namespace the
10MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
11to the remount a read-only mount read-write.
12
13Correct this by replacing the mask of mount flags to preserve
14with a mask of mount flags that may be changed, and preserve
15all others. This ensures that any future bugs with this mask and
16remount will fail in an easy to detect way where new mount flags
17simply won't change.
18
19Fix for CVE-2014-5206 and CVE-2014-5207
20Upstream-Status: backport
21
22Cc: stable@vger.kernel.org
23Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
24Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
25Signed-off-by: Jiri Slaby <jslaby@suse.cz>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 fs/namespace.c | 2 +-
29 include/linux/mount.h | 4 +++-
30 2 files changed, 4 insertions(+), 2 deletions(-)
31
32diff --git a/fs/namespace.c b/fs/namespace.c
33index 84447db..34fa7a5 100644
34--- a/fs/namespace.c
35+++ b/fs/namespace.c
36@@ -1847,7 +1847,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
37 err = do_remount_sb(sb, flags, data, 0);
38 if (!err) {
39 br_write_lock(&vfsmount_lock);
40- mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
41+ mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
42 mnt->mnt.mnt_flags = mnt_flags;
43 br_write_unlock(&vfsmount_lock);
44 }
45diff --git a/include/linux/mount.h b/include/linux/mount.h
46index 38cd98f..8707c9e 100644
47--- a/include/linux/mount.h
48+++ b/include/linux/mount.h
49@@ -42,7 +42,9 @@ struct mnt_namespace;
50 * flag, consider how it interacts with shared mounts.
51 */
52 #define MNT_SHARED_MASK (MNT_UNBINDABLE)
53-#define MNT_PROPAGATION_MASK (MNT_SHARED | MNT_UNBINDABLE)
54+#define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
55+ | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
56+ | MNT_READONLY)
57
58
59 #define MNT_INTERNAL 0x4000
60--
611.9.1
62
diff --git a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..b08f217
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,62 @@
1From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:10:56 -0700
4Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from
5 change_mount_flags into do_remount
6
7commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.
8
9There are no races as locked mount flags are guaranteed to never change.
10
11Moving the test into do_remount makes it more visible, and ensures all
12filesystem remounts pass the MNT_LOCK_READONLY permission check. This
13second case is not an issue today as filesystem remounts are guarded
14by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
15mount namespaces, but it could become an issue in the future.
16
17Fix for CVE-2014-5206 and CVE-2014-5207
18Upstream-Status: backport
19
20Cc: stable@vger.kernel.org
21Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
22Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
23Signed-off-by: Jiri Slaby <jslaby@suse.cz>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 fs/namespace.c | 13 ++++++++++---
27 1 file changed, 10 insertions(+), 3 deletions(-)
28
29diff --git a/fs/namespace.c b/fs/namespace.c
30index 34fa7a5..8e90b03 100644
31--- a/fs/namespace.c
32+++ b/fs/namespace.c
33@@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
34 if (readonly_request == __mnt_is_readonly(mnt))
35 return 0;
36
37- if (mnt->mnt_flags & MNT_LOCK_READONLY)
38- return -EPERM;
39-
40 if (readonly_request)
41 error = mnt_make_readonly(real_mount(mnt));
42 else
43@@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
44 if (path->dentry != path->mnt->mnt_root)
45 return -EINVAL;
46
47+ /* Don't allow changing of locked mnt flags.
48+ *
49+ * No locks need to be held here while testing the various
50+ * MNT_LOCK flags because those flags can never be cleared
51+ * once they are set.
52+ */
53+ if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
54+ !(mnt_flags & MNT_READONLY)) {
55+ return -EPERM;
56+ }
57 err = security_sb_remount(sb, data);
58 if (err)
59 return err;
60--
611.9.1
62
diff --git a/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..aa5ca1b
--- /dev/null
+++ b/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,137 @@
1From 8b18c0adbc5d0cb1530692e72bcfb88fd7bb77bb Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:26:07 -0700
4Subject: [PATCH] mnt: Correct permission checks in do_remount
5
6commit 9566d6742852c527bf5af38af5cbb878dad75705 upstream.
7
8While invesgiating the issue where in "mount --bind -oremount,ro ..."
9would result in later "mount --bind -oremount,rw" succeeding even if
10the mount started off locked I realized that there are several
11additional mount flags that should be locked and are not.
12
13In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
14flags in addition to MNT_READONLY should all be locked. These
15flags are all per superblock, can all be changed with MS_BIND,
16and should not be changable if set by a more privileged user.
17
18The following additions to the current logic are added in this patch.
19- nosuid may not be clearable by a less privileged user.
20- nodev may not be clearable by a less privielged user.
21- noexec may not be clearable by a less privileged user.
22- atime flags may not be changeable by a less privileged user.
23
24The logic with atime is that always setting atime on access is a
25global policy and backup software and auditing software could break if
26atime bits are not updated (when they are configured to be updated),
27and serious performance degradation could result (DOS attack) if atime
28updates happen when they have been explicitly disabled. Therefore an
29unprivileged user should not be able to mess with the atime bits set
30by a more privileged user.
31
32The additional restrictions are implemented with the addition of
33MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
34mnt flags.
35
36Taken together these changes and the fixes for MNT_LOCK_READONLY
37should make it safe for an unprivileged user to create a user
38namespace and to call "mount --bind -o remount,... ..." without
39the danger of mount flags being changed maliciously.
40
41Fix for CVE-2014-5206 and CVE-2014-5207
42Upstream-Status: backport
43
44Cc: stable@vger.kernel.org
45Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
46Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
47Signed-off-by: Jiri Slaby <jslaby@suse.cz>
48Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
49---
50 fs/namespace.c | 36 +++++++++++++++++++++++++++++++++---
51 include/linux/mount.h | 5 +++++
52 2 files changed, 38 insertions(+), 3 deletions(-)
53
54diff --git a/fs/namespace.c b/fs/namespace.c
55index 8e90b03..7c67de8 100644
56--- a/fs/namespace.c
57+++ b/fs/namespace.c
58@@ -827,8 +827,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
59
60 mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~MNT_WRITE_HOLD;
61 /* Don't allow unprivileged users to change mount flags */
62- if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
63- mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
64+ if (flag & CL_UNPRIVILEGED) {
65+ mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
66+
67+ if (mnt->mnt.mnt_flags & MNT_READONLY)
68+ mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
69+
70+ if (mnt->mnt.mnt_flags & MNT_NODEV)
71+ mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
72+
73+ if (mnt->mnt.mnt_flags & MNT_NOSUID)
74+ mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
75+
76+ if (mnt->mnt.mnt_flags & MNT_NOEXEC)
77+ mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
78+ }
79
80 /* Don't allow unprivileged users to reveal what is under a mount */
81 if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
82@@ -1841,6 +1854,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
83 !(mnt_flags & MNT_READONLY)) {
84 return -EPERM;
85 }
86+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
87+ !(mnt_flags & MNT_NODEV)) {
88+ return -EPERM;
89+ }
90+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
91+ !(mnt_flags & MNT_NOSUID)) {
92+ return -EPERM;
93+ }
94+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
95+ !(mnt_flags & MNT_NOEXEC)) {
96+ return -EPERM;
97+ }
98+ if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
99+ ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
100+ return -EPERM;
101+ }
102+
103 err = security_sb_remount(sb, data);
104 if (err)
105 return err;
106@@ -2043,7 +2073,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
107 */
108 if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
109 flags |= MS_NODEV;
110- mnt_flags |= MNT_NODEV;
111+ mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV;
112 }
113 }
114
115diff --git a/include/linux/mount.h b/include/linux/mount.h
116index 8707c9e..22e5b96 100644
117--- a/include/linux/mount.h
118+++ b/include/linux/mount.h
119@@ -45,10 +45,15 @@ struct mnt_namespace;
120 #define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
121 | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
122 | MNT_READONLY)
123+#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME )
124
125
126 #define MNT_INTERNAL 0x4000
127
128+#define MNT_LOCK_ATIME 0x040000
129+#define MNT_LOCK_NOEXEC 0x080000
130+#define MNT_LOCK_NOSUID 0x100000
131+#define MNT_LOCK_NODEV 0x200000
132 #define MNT_LOCK_READONLY 0x400000
133 #define MNT_LOCKED 0x800000
134
135--
1361.9.1
137
diff --git a/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..8cd4b13
--- /dev/null
+++ b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,64 @@
1From fafbc9412b8f2dae04bc3ca233ae7b49482c8df8 Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:36:04 -0700
4Subject: [PATCH] mnt: Change the default remount atime from relatime to the
5 existing value
6
7commit ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e upstream.
8
9Since March 2009 the kernel has treated the state that if no
10MS_..ATIME flags are passed then the kernel defaults to relatime.
11
12Defaulting to relatime instead of the existing atime state during a
13remount is silly, and causes problems in practice for people who don't
14specify any MS_...ATIME flags and to get the default filesystem atime
15setting. Those users may encounter a permission error because the
16default atime setting does not work.
17
18A default that does not work and causes permission problems is
19ridiculous, so preserve the existing value to have a default
20atime setting that is always guaranteed to work.
21
22Using the default atime setting in this way is particularly
23interesting for applications built to run in restricted userspace
24environments without /proc mounted, as the existing atime mount
25options of a filesystem can not be read from /proc/mounts.
26
27In practice this fixes user space that uses the default atime
28setting on remount that are broken by the permission checks
29keeping less privileged users from changing more privileged users
30atime settings.
31
32Fix for CVE-2014-5206 and CVE-2014-5207
33Upstream-Status: backport
34
35Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
36Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
37Signed-off-by: Jiri Slaby <jslaby@suse.cz>
38Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
39---
40 fs/namespace.c | 8 ++++++++
41 1 file changed, 8 insertions(+)
42
43diff --git a/fs/namespace.c b/fs/namespace.c
44index 7c67de8..4ea2b73 100644
45--- a/fs/namespace.c
46+++ b/fs/namespace.c
47@@ -2391,6 +2391,14 @@ long do_mount(const char *dev_name, const char *dir_name,
48 if (flags & MS_RDONLY)
49 mnt_flags |= MNT_READONLY;
50
51+ /* The default atime for remount is preservation */
52+ if ((flags & MS_REMOUNT) &&
53+ ((flags & (MS_NOATIME | MS_NODIRATIME | MS_RELATIME |
54+ MS_STRICTATIME)) == 0)) {
55+ mnt_flags &= ~MNT_ATIME_MASK;
56+ mnt_flags |= path.mnt->mnt_flags & MNT_ATIME_MASK;
57+ }
58+
59 flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN |
60 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
61 MS_STRICTATIME);
62--
631.9.1
64
diff --git a/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..caa89db
--- /dev/null
+++ b/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,324 @@
1From 4194b9700ce41ff2f7031aa0c6108c2539028ab5 Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Tue, 29 Jul 2014 15:50:44 -0700
4Subject: [PATCH] mnt: Add tests for unprivileged remount cases that have found
5 to be faulty
6
7commit db181ce011e3c033328608299cd6fac06ea50130 upstream.
8
9Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
10read-only bind mount read-only in a user namespace the
11MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
12to the remount a read-only mount read-write.
13
14Upon review of the code in remount it was discovered that the code allowed
15nosuid, noexec, and nodev to be cleared. It was also discovered that
16the code was allowing the per mount atime flags to be changed.
17
18The first naive patch to fix these issues contained the flaw that using
19default atime settings when remounting a filesystem could be disallowed.
20
21To avoid this problems in the future add tests to ensure unprivileged
22remounts are succeeding and failing at the appropriate times.
23
24Fix for CVE-2014-5206 and CVE-2014-5207
25Upstream-Status: backport
26
27Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
28Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
29Signed-off-by: Jiri Slaby <jslaby@suse.cz>
30Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
31---
32 tools/testing/selftests/Makefile | 1 +
33 tools/testing/selftests/mount/Makefile | 17 ++
34 .../selftests/mount/unprivileged-remount-test.c | 242 +++++++++++++++++++++
35 3 files changed, 260 insertions(+)
36 create mode 100644 tools/testing/selftests/mount/Makefile
37 create mode 100644 tools/testing/selftests/mount/unprivileged-remount-test.c
38
39diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
40index 9f3eae2..2d9ab94 100644
41--- a/tools/testing/selftests/Makefile
42+++ b/tools/testing/selftests/Makefile
43@@ -4,6 +4,7 @@ TARGETS += efivarfs
44 TARGETS += kcmp
45 TARGETS += memory-hotplug
46 TARGETS += mqueue
47+TARGETS += mount
48 TARGETS += net
49 TARGETS += ptrace
50 TARGETS += timers
51diff --git a/tools/testing/selftests/mount/Makefile b/tools/testing/selftests/mount/Makefile
52new file mode 100644
53index 0000000..337d853
54--- /dev/null
55+++ b/tools/testing/selftests/mount/Makefile
56@@ -0,0 +1,17 @@
57+# Makefile for mount selftests.
58+
59+all: unprivileged-remount-test
60+
61+unprivileged-remount-test: unprivileged-remount-test.c
62+ gcc -Wall -O2 unprivileged-remount-test.c -o unprivileged-remount-test
63+
64+# Allow specific tests to be selected.
65+test_unprivileged_remount: unprivileged-remount-test
66+ @if [ -f /proc/self/uid_map ] ; then ./unprivileged-remount-test ; fi
67+
68+run_tests: all test_unprivileged_remount
69+
70+clean:
71+ rm -f unprivileged-remount-test
72+
73+.PHONY: all test_unprivileged_remount
74diff --git a/tools/testing/selftests/mount/unprivileged-remount-test.c b/tools/testing/selftests/mount/unprivileged-remount-test.c
75new file mode 100644
76index 0000000..1b3ff2f
77--- /dev/null
78+++ b/tools/testing/selftests/mount/unprivileged-remount-test.c
79@@ -0,0 +1,242 @@
80+#define _GNU_SOURCE
81+#include <sched.h>
82+#include <stdio.h>
83+#include <errno.h>
84+#include <string.h>
85+#include <sys/types.h>
86+#include <sys/mount.h>
87+#include <sys/wait.h>
88+#include <stdlib.h>
89+#include <unistd.h>
90+#include <fcntl.h>
91+#include <grp.h>
92+#include <stdbool.h>
93+#include <stdarg.h>
94+
95+#ifndef CLONE_NEWNS
96+# define CLONE_NEWNS 0x00020000
97+#endif
98+#ifndef CLONE_NEWUTS
99+# define CLONE_NEWUTS 0x04000000
100+#endif
101+#ifndef CLONE_NEWIPC
102+# define CLONE_NEWIPC 0x08000000
103+#endif
104+#ifndef CLONE_NEWNET
105+# define CLONE_NEWNET 0x40000000
106+#endif
107+#ifndef CLONE_NEWUSER
108+# define CLONE_NEWUSER 0x10000000
109+#endif
110+#ifndef CLONE_NEWPID
111+# define CLONE_NEWPID 0x20000000
112+#endif
113+
114+#ifndef MS_RELATIME
115+#define MS_RELATIME (1 << 21)
116+#endif
117+#ifndef MS_STRICTATIME
118+#define MS_STRICTATIME (1 << 24)
119+#endif
120+
121+static void die(char *fmt, ...)
122+{
123+ va_list ap;
124+ va_start(ap, fmt);
125+ vfprintf(stderr, fmt, ap);
126+ va_end(ap);
127+ exit(EXIT_FAILURE);
128+}
129+
130+static void write_file(char *filename, char *fmt, ...)
131+{
132+ char buf[4096];
133+ int fd;
134+ ssize_t written;
135+ int buf_len;
136+ va_list ap;
137+
138+ va_start(ap, fmt);
139+ buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
140+ va_end(ap);
141+ if (buf_len < 0) {
142+ die("vsnprintf failed: %s\n",
143+ strerror(errno));
144+ }
145+ if (buf_len >= sizeof(buf)) {
146+ die("vsnprintf output truncated\n");
147+ }
148+
149+ fd = open(filename, O_WRONLY);
150+ if (fd < 0) {
151+ die("open of %s failed: %s\n",
152+ filename, strerror(errno));
153+ }
154+ written = write(fd, buf, buf_len);
155+ if (written != buf_len) {
156+ if (written >= 0) {
157+ die("short write to %s\n", filename);
158+ } else {
159+ die("write to %s failed: %s\n",
160+ filename, strerror(errno));
161+ }
162+ }
163+ if (close(fd) != 0) {
164+ die("close of %s failed: %s\n",
165+ filename, strerror(errno));
166+ }
167+}
168+
169+static void create_and_enter_userns(void)
170+{
171+ uid_t uid;
172+ gid_t gid;
173+
174+ uid = getuid();
175+ gid = getgid();
176+
177+ if (unshare(CLONE_NEWUSER) !=0) {
178+ die("unshare(CLONE_NEWUSER) failed: %s\n",
179+ strerror(errno));
180+ }
181+
182+ write_file("/proc/self/uid_map", "0 %d 1", uid);
183+ write_file("/proc/self/gid_map", "0 %d 1", gid);
184+
185+ if (setgroups(0, NULL) != 0) {
186+ die("setgroups failed: %s\n",
187+ strerror(errno));
188+ }
189+ if (setgid(0) != 0) {
190+ die ("setgid(0) failed %s\n",
191+ strerror(errno));
192+ }
193+ if (setuid(0) != 0) {
194+ die("setuid(0) failed %s\n",
195+ strerror(errno));
196+ }
197+}
198+
199+static
200+bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
201+{
202+ pid_t child;
203+
204+ child = fork();
205+ if (child == -1) {
206+ die("fork failed: %s\n",
207+ strerror(errno));
208+ }
209+ if (child != 0) { /* parent */
210+ pid_t pid;
211+ int status;
212+ pid = waitpid(child, &status, 0);
213+ if (pid == -1) {
214+ die("waitpid failed: %s\n",
215+ strerror(errno));
216+ }
217+ if (pid != child) {
218+ die("waited for %d got %d\n",
219+ child, pid);
220+ }
221+ if (!WIFEXITED(status)) {
222+ die("child did not terminate cleanly\n");
223+ }
224+ return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false;
225+ }
226+
227+ create_and_enter_userns();
228+ if (unshare(CLONE_NEWNS) != 0) {
229+ die("unshare(CLONE_NEWNS) failed: %s\n",
230+ strerror(errno));
231+ }
232+
233+ if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) {
234+ die("mount of /tmp failed: %s\n",
235+ strerror(errno));
236+ }
237+
238+ create_and_enter_userns();
239+
240+ if (unshare(CLONE_NEWNS) != 0) {
241+ die("unshare(CLONE_NEWNS) failed: %s\n",
242+ strerror(errno));
243+ }
244+
245+ if (mount("/tmp", "/tmp", "none",
246+ MS_REMOUNT | MS_BIND | remount_flags, NULL) != 0) {
247+ /* system("cat /proc/self/mounts"); */
248+ die("remount of /tmp failed: %s\n",
249+ strerror(errno));
250+ }
251+
252+ if (mount("/tmp", "/tmp", "none",
253+ MS_REMOUNT | MS_BIND | invalid_flags, NULL) == 0) {
254+ /* system("cat /proc/self/mounts"); */
255+ die("remount of /tmp with invalid flags "
256+ "succeeded unexpectedly\n");
257+ }
258+ exit(EXIT_SUCCESS);
259+}
260+
261+static bool test_unpriv_remount_simple(int mount_flags)
262+{
263+ return test_unpriv_remount(mount_flags, mount_flags, 0);
264+}
265+
266+static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags)
267+{
268+ return test_unpriv_remount(mount_flags, mount_flags, invalid_flags);
269+}
270+
271+int main(int argc, char **argv)
272+{
273+ if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) {
274+ die("MS_RDONLY malfunctions\n");
275+ }
276+ if (!test_unpriv_remount_simple(MS_NODEV)) {
277+ die("MS_NODEV malfunctions\n");
278+ }
279+ if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) {
280+ die("MS_NOSUID malfunctions\n");
281+ }
282+ if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) {
283+ die("MS_NOEXEC malfunctions\n");
284+ }
285+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV,
286+ MS_NOATIME|MS_NODEV))
287+ {
288+ die("MS_RELATIME malfunctions\n");
289+ }
290+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV,
291+ MS_NOATIME|MS_NODEV))
292+ {
293+ die("MS_STRICTATIME malfunctions\n");
294+ }
295+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV,
296+ MS_STRICTATIME|MS_NODEV))
297+ {
298+ die("MS_RELATIME malfunctions\n");
299+ }
300+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV,
301+ MS_NOATIME|MS_NODEV))
302+ {
303+ die("MS_RELATIME malfunctions\n");
304+ }
305+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV,
306+ MS_NOATIME|MS_NODEV))
307+ {
308+ die("MS_RELATIME malfunctions\n");
309+ }
310+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV,
311+ MS_STRICTATIME|MS_NODEV))
312+ {
313+ die("MS_RELATIME malfunctions\n");
314+ }
315+ if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV,
316+ MS_NOATIME|MS_NODEV))
317+ {
318+ die("Default atime malfunctions\n");
319+ }
320+ return EXIT_SUCCESS;
321+}
322--
3231.9.1
324
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index a590231..12fa2a6 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -6,6 +6,11 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
6 file://Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch \ 6 file://Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch \
7 file://Fix-CVE-2014-5471_CVE-2014-5472.patch \ 7 file://Fix-CVE-2014-5471_CVE-2014-5472.patch \
8 file://modify-defconfig-t1040-nr-cpus.patch \ 8 file://modify-defconfig-t1040-nr-cpus.patch \
9 file://0001-mnt-CVE-2014-5206_CVE-2014-5207.patch \
10 file://0002-mnt-CVE-2014-5206_CVE-2014-5207.patch \
11 file://0003-mnt-CVE-2014-5206_CVE-2014-5207.patch \
12 file://0004-mnt-CVE-2014-5206_CVE-2014-5207.patch \
13 file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
9" 14"
10SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" 15SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
11 16
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-13 15:06:40 +0000