The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a mount -o remount command within a user namespace.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Linux_kernel | Linux | 3.13 | * |
Linux_kernel | Linux | 3.15 | * |
Linux_kernel | Linux | 3.11 | * |
Linux_kernel | Linux | 3.8 | * |