Bug 1226751 (CVE-2014-9717)

Summary: CVE-2014-9717 kernel: unsharing MNT_LOCKED mount can expose files beneath the mount.
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aquini, bhu, blc, dhoward, fhrbata, gansalmon, itamar, jforbes, jkacur, joelsmith, jonathan, jwboyer, kernel-maint, kernel-mgr, lgoncalv, madhu.chinakonda, mchehab, mlangsdo, nmurray, rvrbovsk, slawomir, williams, xzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that unsharing a mount namespace could allow a user to see data beneath their restricted namespace.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:45:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1226765, 1231595, 1231596    
Bug Blocks: 1213949    

Description Wade Mealing 2015-06-01 01:13:54 UTC
  "The semantics of MNT_LOCKED are that you aren't allowed to see what
   is beneath. So if you can get under there even by unsharing the mount
   namespace it is an implementation bug in MNT_LOCKED."

At this current time, Red Hat Enterprise Linux products do not ship with user namespaces enabled as a kernel compile-time option and are therefore not affected.

References:
http://marc.info/?l=linux-kernel&m=141271552117745&w=2
http://www.spinics.net/lists/linux-containers/msg30786.html
https://git.kernel.org/linus/da362b09e42ee0bcaf0356afee6078b4f324baff
http://openwall.com/lists/oss-security/2015/04/18/3

Comment 1 Wade Mealing 2015-06-01 01:21:54 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

Comment 3 Wade Mealing 2015-06-01 04:04:04 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1226765]

Comment 4 Wade Mealing 2015-06-01 04:08:23 UTC
This issue does not affect Red Hat Enterprise Linux at this time as we do not allow creation of user namespaces.  This area of code does not exist and has not been backported to current Red Hat Enterprise Linux kernels.

Comment 7 Wade Mealing 2015-08-26 01:11:06 UTC
*** Bug 1226108 has been marked as a duplicate of this bug. ***