diff options
Diffstat (limited to 'meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch')
-rw-r--r-- | meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch new file mode 100644 index 00000000..8cd4b130 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch @@ -0,0 +1,64 @@ +From fafbc9412b8f2dae04bc3ca233ae7b49482c8df8 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 28 Jul 2014 17:36:04 -0700 +Subject: [PATCH] mnt: Change the default remount atime from relatime to the + existing value + +commit ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e upstream. + +Since March 2009 the kernel has treated the state that if no +MS_..ATIME flags are passed then the kernel defaults to relatime. + +Defaulting to relatime instead of the existing atime state during a +remount is silly, and causes problems in practice for people who don't +specify any MS_...ATIME flags and to get the default filesystem atime +setting. Those users may encounter a permission error because the +default atime setting does not work. + +A default that does not work and causes permission problems is +ridiculous, so preserve the existing value to have a default +atime setting that is always guaranteed to work. + +Using the default atime setting in this way is particularly +interesting for applications built to run in restricted userspace +environments without /proc mounted, as the existing atime mount +options of a filesystem can not be read from /proc/mounts. + +In practice this fixes user space that uses the default atime +setting on remount that are broken by the permission checks +keeping less privileged users from changing more privileged users +atime settings. + +Fix for CVE-2014-5206 and CVE-2014-5207 +Upstream-Status: backport + +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + fs/namespace.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 7c67de8..4ea2b73 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2391,6 +2391,14 @@ long do_mount(const char *dev_name, const char *dir_name, + if (flags & MS_RDONLY) + mnt_flags |= MNT_READONLY; + ++ /* The default atime for remount is preservation */ ++ if ((flags & MS_REMOUNT) && ++ ((flags & (MS_NOATIME | MS_NODIRATIME | MS_RELATIME | ++ MS_STRICTATIME)) == 0)) { ++ mnt_flags &= ~MNT_ATIME_MASK; ++ mnt_flags |= path.mnt->mnt_flags & MNT_ATIME_MASK; ++ } ++ + flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN | + MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | + MS_STRICTATIME); +-- +1.9.1 + |