Bug #1549398 “xenial master-next: cgroup mounting broken in cont...” : Bugs : linux package : Ubuntu

Revision history for this message

Seth Forshee (sforshee) wrote on 2016-02-24:

#1

0001-UBUNTU-SAUCE-kernfs-Always-set-super-block-owner-to-.patch Edit (1.5 KiB, text/plain)

Andy Whitcroft (apw) on 2016-02-24

description:

updated

Andy Whitcroft (apw) on 2016-02-24

description:

updated

Revision history for this message

Andy Whitcroft (apw) wrote on 2016-02-24:

#2

As this is a blocker for a High CVE marking this High as well.

Changed in linux (Ubuntu):
importance:	Undecided → High

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-02-26:

#3

Download full text (10.1 KiB)

This bug was fixed in the package linux - 4.4.0-8.23

---------------
linux (4.4.0-8.23) xenial; urgency=low

* cgroup namespace mounts broken in containers (LP: #1549398)
- SAUCE: kernfs: Always set super block owner to init_user_ns

  * 4.4.0-7.22 no longer boots on arm64 (LP: #1547718)
    - arm64: mm: avoid calling apply_to_page_range on empty range
    - UBUNTU SAUCE: arm: mm: avoid calling apply_to_page_range on empty range

* kernel install failed /bin/cp: cannot stat ‘/boot/initrd.img-4.3.0-7-generic’: No such file or directory (LP: #1536810)
- [Config] postinst -- handle recreating symlinks when a real file is present

  * insecure overlayfs xattrs handling in copy_up (LP: #1534961)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
    - SAUCE: overlayfs: Be more careful about copying up sxid files
    - SAUCE: overlayfs: Propogate nosuid from lower and upper mounts

  * overlayfs over fuse should refuse copy_up of files if uid/gid not mapped (LP: #1535150)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
    - SAUCE: overlayfs: Be more careful about copying up sxid files
    - SAUCE: overlayfs: Propogate nosuid from lower and upper mounts

  * overlay: mkdir fails if directory exists in lowerdir in a user namespace (LP: #1531747)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * Update Intel ethernet drivers to Fortville SW5 (LP: #1547674)
    - net: bulk free infrastructure for NAPI context, use napi_consume_skb
    - net: Add eth_platform_get_mac_address() helper.
    - i40e: Add mac_filter_element at the end of the list instead of HEAD
    - i40e/i40evf: Fix RSS rx-flow-hash configuration through ethtool
    - i40e: Replace X722 mac check in ethtool get_settings
    - i40evf: allow channel bonding of VFs
    - i40e: define function capabilities in only one place
    - i40evf: null out ring pointers on free
    - i40e: Cleanup the code with respect to restarting autoneg
    - i40e: update features with right offload
    - i40e: bump version to 1.4.10
    - i40e: add new device IDs for X722
    - i40e: Extend ethtool RSS hooks for X722
    - i40e/i40evf: Fix for UDP/TCP RSS for X722
    - i40evf: add new write-back mode
    - i40e/i40evf: Use private workqueue
    - i40e: add new proxy-wol bit for X722
    - i40e: Limit DCB FW version checks to X710/XL710 devices
    - i40e: AQ Add Run PHY Activity struct
    - i40e: AQ Geneve cloud tunnel type
    - i40e: AQ Add external power class to get link status
    - i40e: add 100Mb ethtool reporting
    - ixgbe: bulk free SKBs during TX completion cleanup cycle
    - igb: Remove unnecessary flag setting in igb_set_flag_queue_pairs()
    - igb: Unpair the queues when changing the number of queues...

This bug was fixed in the package linux - 4.4.0-8.23

---------------
linux (4.4.0-8.23) xenial; urgency=low

* cgroup namespace mounts broken in containers (LP: #1549398)
    - SAUCE: kernfs: Always set super block owner to init_user_ns

* 4.4.0-7.22 no longer boots on arm64 (LP: #1547718)
    - arm64: mm: avoid calling apply_to_page_range on empty range
    - UBUNTU SAUCE: arm: mm: avoid calling apply_to_page_range on empty range

* kernel install failed /bin/cp: cannot stat ‘/boot/initrd.img-4.3.0-7-generic’: No such file or directory (LP: #1536810)
    - [Config] postinst -- handle recreating symlinks when a real file is present

* insecure overlayfs xattrs handling in copy_up (LP: #1534961)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
    - SAUCE: overlayfs: Be more careful about copying up sxid files
    - SAUCE: overlayfs: Propogate nosuid from lower and upper mounts

* overlayfs over fuse should refuse copy_up of files if uid/gid not mapped (LP: #1535150)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
    - SAUCE: overlayfs: Be more careful about copying up sxid files
    - SAUCE: overlayfs: Propogate nosuid from lower and upper mounts

* overlay: mkdir fails if directory exists in lowerdir in a user namespace (LP: #1531747)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

* Update Intel ethernet drivers to Fortville SW5 (LP: #1547674)
    - net: bulk free infrastructure for NAPI context, use napi_consume_skb
    - net: Add eth_platform_get_mac_address() helper.
    - i40e: Add mac_filter_element at the end of the list instead of HEAD
    - i40e/i40evf: Fix RSS rx-flow-hash configuration through ethtool
    - i40e: Replace X722 mac check in ethtool get_settings
    - i40evf: allow channel bonding of VFs
    - i40e: define function capabilities in only one place
    - i40evf: null out ring pointers on free
    - i40e: Cleanup the code with respect to restarting autoneg
    - i40e: update features with right offload
    - i40e: bump version to 1.4.10
    - i40e: add new device IDs for X722
    - i40e: Extend ethtool RSS hooks for X722
    - i40e/i40evf: Fix for UDP/TCP RSS for X722
    - i40evf: add new write-back mode
    - i40e/i40evf: Use private workqueue
    - i40e: add new proxy-wol bit for X722
    - i40e: Limit DCB FW version checks to X710/XL710 devices
    - i40e: AQ Add Run PHY Activity struct
    - i40e: AQ Geneve cloud tunnel type
    - i40e: AQ Add external power class to get link status
    - i40e: add 100Mb ethtool reporting
    - ixgbe: bulk free SKBs during TX completion cleanup cycle
    - igb: Remove unnecessary flag setting in igb_set_flag_queue_pairs()
    - igb: Unpair the queues when changing the number of queues
    - igb/igbvf: don't give up
    - igb: clean up code for setting MAC address
    - igb: Refactor VFTA configuration
    - igb: Allow asymmetric configuration of MTU versus Rx frame size
    - igb: Do not factor VLANs into RLPML calculation
    - igb: Always enable VLAN 0 even if 8021q is not loaded
    - igb: Merge VLVF configuration into igb_vfta_set
    - igb: Clean-up configuration of VF port VLANs
    - igb: Add support for VLAN promiscuous with SR-IOV and NTUPLE
    - igb: Drop unnecessary checks in transmit path
    - igb: Enable use of "bridge fdb add" to set unicast table entries
    - igb: Add workaround for VLAN tag stripping on 82576
    - i40e: AQ Shared resource flags
    - i40e: AQ Add set_switch_config
    - i40e: AQ Add VXLAN-GPE tunnel type
    - i40e: AQ thermal sensor control struct
    - i40e: Bump AQ minor version to 1.5 for new FW features
    - i40e: Store lan_vsi_idx and lan_vsi_id in the right size
    - i40e: fix write-back-on-itr to work with legacy itr
    - i40e: add counter for arq overflows
    - i40e: add 20G speed for Tx bandwidth calculations
    - i40e: refactor DCB function
    - i40e: add a little more to an NVM update debug message
    - i40evf: enable bus master after reset
    - i40e: add netdev info to VSI dump
    - i40e: remove VF device IDs from PF
    - i40e: trivial: remove unnecessary local var
    - i40e/i40evf: Bump i40e to 1.4.11 and i40evf to 1.4.7
    - net: ixgbe: add minimal parser details for ixgbe
    - i40e: trivial: drop duplicate definition
    - i40e: trivial: fix missing space
    - i40e: fix bug in dma sync
    - i40e: do TSO only if CHECKSUM_PARTIAL is set
    - i40e: allocate memory safer
    - i40e: fix: do not sleep in netdev_ops
    - i40e: APIs to Add/remove port mirroring rules
    - i40e: negate PHY int mask bits
    - i40e: drop unused function
    - i40e: count allocation errors
    - i40e: avoid large memcpy by assigning struct
    - i40e/i40evf: bump version to 1.4.12/1.4.8
    - i40e: Enable Geneve offload for FW API ver > 1.4 for XL710/X710 devices
    - i40e: add priv flag for automatic rule eviction
    - i40e: use eth_platform_get_mac_address()
    - i40e: move sync_vsi_filters up in service_task
    - i40e: Make the DCB firmware checks for X710/XL710 only
    - i40e: set shared bit for multicast filters
    - i40e: add VEB stat control and remove L2 cloud filter
    - i40e: use new add_veb calling with VEB stats control
    - i40e: Refactor force_wb and WB_ON_ITR functionality code
    - i40evf: Change vf driver string to reflect all products i40evf supports
    - i40e/i40evf: don't lose interrupts
    - i40e/i40evf: try again after failure
    - i40e: dump descriptor indexes in hex
    - i40e/i40evf: use __GFP_NOWARN
    - i40e/i40evf: use pages correctly in Rx
    - i40e/i40evf: use logical operators, not bitwise
    - i40e: properly show packet split status in debugfs
    - i40e/i40evf: Bump version
    - ixgbe: use u32 instead of __u32 in model header
    - ixgbe: fix dates on header of ixgbe_model.h
    - i40e: get rid of magic number
    - i40e: drop unused debugfs file "dump"
    - i40evf: support packet split receive
    - i40e: trivial: cleanup use of pf->hw
    - i40e: Add a SW workaround for lost interrupts
    - i40e: Fix PROMISC mode for Multi-function per port (MFP) devices
    - i40e: Removal of code which relies on BASE VEB SEID
    - i40e/i40evf: avoid atomics
    - i40e: Do not disable queues in the Legacy/MSI Interrupt handler
    - i40e: expand comment
    - i40e: better error reporting for nvmupdate
    - i40evf: set adapter state on reset failure
    - i40e: clean event descriptor before use
    - i40e: When in promisc mode apply promisc mode to Tx Traffic as well
    - i40e/i40evf: Bump i40e to 1.4.15 and i40evf to 1.4.11.
    - i40e/i40evf: Drop outer checksum offload that was not requested
    - i40e/i40evf: Use u64 values instead of casting them in TSO function
    - i40e/i40evf: Factor out L4 header and checksum from L3 bits in TSO path
    - i40e/i40evf: Consolidate all header changes into TSO function
    - i40e/i40evf: Replace header pointers with unions of pointers in Tx checksum path
    - i40e/i40evf: Add support for IPv4 encapsulated in IPv6
    - i40e/i40evf: Handle IPv6 extension headers in checksum offload
    - i40e/i40evf: Do not write to descriptor unless we complete
    - i40e/i40evf: Add exception handling for Tx checksum
    - i40e/i40evf: Clean-up Rx packet checksum handling
    - i40e/i40evf: Enable support for SKB_GSO_UDP_TUNNEL_CSUM
    - i40e: Fix ATR in relation to tunnels
    - i40e: Do not drop support for IPv6 VXLAN or GENEVE tunnels
    - i40e: Update feature flags to reflect newly enabled features
    - i40evf: Update feature flags to reflect newly enabled features
    - i40e: Add support for ATR w/ IPv6 extension headers
    - i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx
    - i40e/i40evf: Rewrite logic for 8 descriptor per packet check
    - i40e/i40evf: Move Tx checksum closer to TSO
    - i40e: Add functions to blink led on 10GBaseT PHY
    - i40e: Fix led blink capability for 10GBaseT PHY
    - i40e: Increase timeout when checking GLGEN_RSTAT_DEVSTATE bit
    - i40e: Do not wait for Rx queue disable in DCB reconfig
    - i40e: Fix for unexpected messaging
    - i40e: Expose some registers to program parser, FD and RSS logic
    - i40e: add check for null VSI
    - i40e: add adminq commands for Rx CTL registers
    - i40e: implement and use Rx CTL helper functions
    - i40e: Use the new rx ctl register helpers. Don't use AQ calls from clear_hw.
    - i40e: suspend scheduling during driver unload
    - i40e: let go of the past
    - i40e/i40evf: Bump i40e to 1.4.25 and i40evf to 1.4.15

* MPT3SAS Driver update for next kernel release (LP: #1512221)
    - mpt3sas: A correction in unmap_resources
    - mpt3sas: Added support for high port count HBA variants.
    - mpt3sas: Used IEEE SGL instead of MPI SGL while framing a SMP Passthrough request message.
    - mpt3sas: Fix static analyzer(coverity) tool identified defects
    - mpt3sas: Never block the Enclosure device
    - mpt3sas: Make use of additional HighPriority credit message frames for sending SCSI IO's
    - mpt3sas: Added smp_affinity_enable module parameter.
    - mpt3sas: Add support for configurable Chain Frame Size
    - mpt3sas: Updated MPI Header to 2.00.42
    - mpt3sas: Fix for Asynchronous completion of timedout IO and task abort of timedout IO.
    - mpt3sas: Updating mpt3sas driver version to 12.100.00.00
    - mpt3sas: Remove cpumask_clear for zalloc_cpumask_var and don't free free_cpu_mask_var before reply_q

* /sys/class/scsi_host/hostN/partition_number and .../mad_version showing up BE on LE Ubuntu. (ibmvscsi) (LP: #1547153)
    - ibmvscsi: Add endian conversions to sysfs attribute show functions

* Miscellaneous Ubuntu changes
    - [Packaging] git-ubuntu-log -- output should be utf-8
    - [Packaging] git-ubuntu-log -- handle invalid or private bugs

-- Andy Whitcroft <apw@canonical.com>  Wed, 24 Feb 2016 20:34:49 +0000

Changed in linux (Ubuntu):
status:	In Progress → Fix Released

Ubuntu
linux package

xenial master-next: cgroup mounting broken in containers

Bug Description

Other bug subscribers

Patches

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	High	Seth Forshee
	Xenial	Fix Released	High	Seth Forshee

Ubuntulinux package

xenial master-next: cgroup mounting broken in containers

Bug Description

Other bug subscribers

Patches

Remote bug watches

Ubuntu
linux package