Description: USERNS allows circumventing MNT_LOCKED References: http://marc.info/?l=linux-kernel&m=141271552117745&w=2 https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs http://www.spinics.net/lists/linux-containers/msg30786.html Notes: jmm> Most of the changes from Eric patch series are merged, but not all: jmm> a3b3c5627c8301ac850962b04f645dfab81e6a60 (1/19) jmm> e819f152104c9f7c9fe50e1aecce6f5d4bf06d65 (2/19) jmm> 8318e667f176f7ea34451a1a530634e293f216ac (3/19) jmm> c003b26ff98ca04a180ff34c38c007a3998d62f9 (4/19) jmm> 590ce4bcbfb4e0462a720a4ad901e84416080bba (5/19) jmm> 411a938b5abc9cb126c41cccf5975ae464fe0f3e (6/19) jmm> 5d88457eb5b86b475422dc882f089203faaeedb5 (7/19) jmm> 0c56fe31420ca599c90240315f7959bf1b4eb6ce (8/19) jmm> cd4a40174b71acd021877341684d8bb1dc8ea4ae (9/19) jmm> 7bdb11de8ee4f4ae195e2fa19efd304e0b36c63b (10/19) jmm> 6a46c5735c29175da55b2fa9d53775182422cdd7 (11/19) jmm> 820f9f147dcce2602eefd9b575bbbd9ea14f0953 (12/19) jmm> ce07d891a0891d3c0d0c2d73d577490486b809e1 (13/19) jmm> f53e57975151f54ad8caa1b0ac8a78091cd5700a (14/19) jmm> e0c9c0afd2fc958ffa34b697972721d81df8a56f (15/19) jmm> But these are not yet: jmm> http://www.spinics.net/lists/linux-containers/msg30804.html (16/19) jmm> http://www.spinics.net/lists/linux-containers/msg30798.html (17/19) jmm> http://www.spinics.net/lists/linux-containers/msg30797.html (18/19) jmm> http://www.spinics.net/lists/linux-containers/msg30802.html (19/19) bwh> I think the last four are needed for CVE-2015-2925, not CVE-2014-9717 jmm> These fixes rely on the fs_pin work by Al Viro Bugs: upstream: released (4.1-rc1) [a3b3c5627c8301ac850962b04f645dfab81e6a60^..e0c9c0afd2fc958ffa34b697972721d81df8a56f] 2.6.32-upstream-stable: N/A "user namespaces known broken before 3.5" sid: released (4.0.2-1) 3.16-jessie-security: ignored "too intrusive to backport" 3.2-wheezy-security: N/A "user namespaces known broken before 3.5" 2.6.32-squeeze-security: N/A "user namespaces known broken before 3.5" 3.16-upstream-stable: ignored "too intrusive to backport" 3.2-upstream-stable: N/A "user namespaces known broken before 3.5"