"overlay" fs type not mountable in unprivileged containers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Seth Forshee |
Bug Description
The "overlay" fstype is not mountable from within non-init user namespaces in wily. This is a regression wrt vivid and is causing LXC adt failures:
https:/
To reproduce, assuming you have an unprivileged LXC container named u1:
$ lxc-clone -s u1 u2
$ lxc-start -n u2 --logfile=lxc.out --logpriority=DEBUG
Starting u2 will fail, with the following in lxc.out:
lxc-start 1438006183.232 ERROR bdev - bdev.c:
CVE References
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
This bug was fixed in the package linux - 4.1.0-3.3
---------------
linux (4.1.0-3.3) wily; urgency=low
[ Andy Whitcroft ]
* Release Tracking Bug
- LP: #1478897
[ Colin Ian King ]
* SAUCE: KEYS: ensure we free the assoc array edit if edit is valid
- CVE-2015-1333
[ Seth Forshee ]
* SAUCE: overlayfs: Enable user namespace mounts for the "overlay" fstype
- LP: #1478578
[ Upstream Kernel Changes ]
* sched/stop_machine: Fix deadlock between multiple stop_two_cpus()
- LP: #1461620
* x86/nmi: Enable nested do_nmi() handling for 64-bit kernels
* x86/nmi/64: Remove asm code that saves cr2
* x86/nmi/64: Switch stacks on userspace NMI entry
* x86/nmi/64: Reorder nested NMI checks
* x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI
detection
-- Andy Whitcroft <email address hidden> Tue, 28 Jul 2015 11:59:03 +0100