From: Greg KH <gregkh@linuxfoundation.org>
To: Matt Brown <matt@nmatt.com>
Cc: jmorris@namei.org, akpm@linux-foundation.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config
Date: Mon, 17 Apr 2017 08:50:55 +0200 [thread overview]
Message-ID: <20170417065055.GA21022@kroah.com> (raw)
In-Reply-To: <20170417060706.28674-2-matt@nmatt.com>
On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote:
> adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow
> the user to restrict unprivileged command injection using TIOCSTI
> tty ioctls
"unpriviledged command injection"? That sounds a bit "odd", don't you
think?
>
> Signed-off-by: Matt Brown <matt@nmatt.com>
> ---
> security/Kconfig | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 3ff1bf9..d757bcb 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -18,6 +18,18 @@ config SECURITY_DMESG_RESTRICT
>
> If you are unsure how to answer this question, answer N.
>
> +config SECURITY_TIOCSTI_RESTRICT
> + bool "Restrict unprivileged use of tiocsti command injection"
> + default n
> + help
> + This enforces restrictions on unprivileged users injecting commands
> + into other processes in the same tty session using the TIOCSTI ioctl
Tabs and spaces?
Since tty sessions are usually separated by different users, how would
they have the same one and yet need something like this?
Also, why not put this in the tty config section?
And finally, this patch on its own doesn't do anything :(
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: gregkh@linuxfoundation.org (Greg KH)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config
Date: Mon, 17 Apr 2017 08:50:55 +0200 [thread overview]
Message-ID: <20170417065055.GA21022@kroah.com> (raw)
In-Reply-To: <20170417060706.28674-2-matt@nmatt.com>
On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote:
> adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow
> the user to restrict unprivileged command injection using TIOCSTI
> tty ioctls
"unpriviledged command injection"? That sounds a bit "odd", don't you
think?
>
> Signed-off-by: Matt Brown <matt@nmatt.com>
> ---
> security/Kconfig | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 3ff1bf9..d757bcb 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -18,6 +18,18 @@ config SECURITY_DMESG_RESTRICT
>
> If you are unsure how to answer this question, answer N.
>
> +config SECURITY_TIOCSTI_RESTRICT
> + bool "Restrict unprivileged use of tiocsti command injection"
> + default n
> + help
> + This enforces restrictions on unprivileged users injecting commands
> + into other processes in the same tty session using the TIOCSTI ioctl
Tabs and spaces?
Since tty sessions are usually separated by different users, how would
they have the same one and yet need something like this?
Also, why not put this in the tty config section?
And finally, this patch on its own doesn't do anything :(
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Matt Brown <matt@nmatt.com>
Cc: jmorris@namei.org, akpm@linux-foundation.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config
Date: Mon, 17 Apr 2017 08:50:55 +0200 [thread overview]
Message-ID: <20170417065055.GA21022@kroah.com> (raw)
In-Reply-To: <20170417060706.28674-2-matt@nmatt.com>
On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote:
> adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow
> the user to restrict unprivileged command injection using TIOCSTI
> tty ioctls
"unpriviledged command injection"? That sounds a bit "odd", don't you
think?
>
> Signed-off-by: Matt Brown <matt@nmatt.com>
> ---
> security/Kconfig | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 3ff1bf9..d757bcb 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -18,6 +18,18 @@ config SECURITY_DMESG_RESTRICT
>
> If you are unsure how to answer this question, answer N.
>
> +config SECURITY_TIOCSTI_RESTRICT
> + bool "Restrict unprivileged use of tiocsti command injection"
> + default n
> + help
> + This enforces restrictions on unprivileged users injecting commands
> + into other processes in the same tty session using the TIOCSTI ioctl
Tabs and spaces?
Since tty sessions are usually separated by different users, how would
they have the same one and yet need something like this?
Also, why not put this in the tty config section?
And finally, this patch on its own doesn't do anything :(
thanks,
greg k-h
next prev parent reply other threads:[~2017-04-17 6:50 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-17 6:07 [kernel-hardening] Patchset to Restrict Unprivileged TIOCSTI TTY Command Injection Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:07 ` [kernel-hardening] [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:50 ` Greg KH [this message]
2017-04-17 6:50 ` Greg KH
2017-04-17 6:50 ` Greg KH
2017-04-18 4:29 ` [kernel-hardening] " Matt Brown
2017-04-18 4:29 ` Matt Brown
2017-04-18 4:29 ` Matt Brown
2017-04-18 13:40 ` [kernel-hardening] " Alan Cox
2017-04-18 13:40 ` Alan Cox
2017-04-18 13:40 ` Alan Cox
2017-04-18 15:49 ` [kernel-hardening] " Kees Cook
2017-04-18 15:49 ` Kees Cook
2017-04-17 6:07 ` [kernel-hardening] [PATCH 2/4] add tiocsti_restrict variable Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:51 ` [kernel-hardening] " Greg KH
2017-04-17 6:51 ` Greg KH
2017-04-17 6:51 ` Greg KH
2017-04-17 6:07 ` [kernel-hardening] [PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:53 ` [kernel-hardening] " Greg KH
2017-04-17 6:53 ` Greg KH
2017-04-17 6:53 ` Greg KH
2017-04-17 14:18 ` [kernel-hardening] " Jann Horn
2017-04-17 14:18 ` Jann Horn
2017-04-17 16:18 ` Matt Brown
2017-04-17 16:18 ` Matt Brown
2017-04-17 6:07 ` [kernel-hardening] [PATCH 4/4] added kernel.tiocsti_restrict sysctl Matt Brown
2017-04-17 6:07 ` Matt Brown
2017-04-17 6:07 ` Matt Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170417065055.GA21022@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=jmorris@namei.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matt@nmatt.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.