From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <keescook@chromium.org>
Cc: Matt Brown <matt@nmatt.com>, Greg KH <gregkh@linuxfoundation.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
James Morris <jmorris@namei.org>, Jiri Slaby <jslaby@suse.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrew Morton <akpm@linux-foundation.org>,
Jann Horn <jannh@google.com>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>
Subject: Re: [kernel-hardening] Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct
Date: Wed, 3 May 2017 23:42:06 -0500 [thread overview]
Message-ID: <20170504044206.GA18463@mail.hallyn.com> (raw)
In-Reply-To: <CAGXu5jK=_jS4hmCt90nLUbic6v+gEqm7kF+KLzOLVfSTBJrEuw@mail.gmail.com>
On Wed, May 03, 2017 at 01:19:41PM -0700, Kees Cook wrote:
> On Wed, May 3, 2017 at 1:02 PM, Matt Brown <matt@nmatt.com> wrote:
> > On 05/03/2017 03:45 PM, Greg KH wrote:
> >>
> >> On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote:
> >>>
> >>> On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <serge@hallyn.com>
> >>> wrote:
> >>>>
> >>>> Quoting Matt Brown (matt@nmatt.com):
> >>>>>
> >>>>> This patch adds struct user_namespace *owner_user_ns to the tty_struct.
> >>>>> Then it is set to current_user_ns() in the alloc_tty_struct function.
> >>>>>
> >>>>> This is done to facilitate capability checks against the original user
> >>>>> namespace that allocated the tty.
> >>>>>
> >>>>> E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN)
> >>>>>
> >>>>> This combined with the use of user namespace's will allow hardening
> >>>>> protections to be built to mitigate container escapes that utilize TTY
> >>>>> ioctls such as TIOCSTI.
> >>>>>
> >>>>> See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256
> >>>>>
> >>>>> Signed-off-by: Matt Brown <matt@nmatt.com>
> >>>>
> >>>>
> >>>> Acked-by: Serge Hallyn <serge@hallyn.com>
> >>>
> >>>
> >>> This Ack didn't end up in the v5, but I think it stands, yes?
> >>>
> >>> Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews
> >>> included be preferred?
> >>
> >>
> >> v6 would be great, and we are dropping patch 2 from the series, right?
> >> I was expecting this to be resent. I'll start looking at new patches
> >> like this after 4.12-rc1 is out.
> >>
> >
> > I will create a v6 with the Acks/Reviews. I'd like to keep patch 2 in
> > since that got acked by at least Serge. (Kees also? or just patch 1?)
>
> Sorry, I meant that patch 2's ack from serge got dropped accidentally.
> i.e. he Acked v4, but it wasn't in v5.
>
> Serge, just to double-check, does your Ack stand?
Yes.
thanks,
-serge
WARNING: multiple messages have this Message-ID (diff)
From: serge@hallyn.com (Serge E. Hallyn)
To: linux-security-module@vger.kernel.org
Subject: [kernel-hardening] Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct
Date: Wed, 3 May 2017 23:42:06 -0500 [thread overview]
Message-ID: <20170504044206.GA18463@mail.hallyn.com> (raw)
In-Reply-To: <CAGXu5jK=_jS4hmCt90nLUbic6v+gEqm7kF+KLzOLVfSTBJrEuw@mail.gmail.com>
On Wed, May 03, 2017 at 01:19:41PM -0700, Kees Cook wrote:
> On Wed, May 3, 2017 at 1:02 PM, Matt Brown <matt@nmatt.com> wrote:
> > On 05/03/2017 03:45 PM, Greg KH wrote:
> >>
> >> On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote:
> >>>
> >>> On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <serge@hallyn.com>
> >>> wrote:
> >>>>
> >>>> Quoting Matt Brown (matt at nmatt.com):
> >>>>>
> >>>>> This patch adds struct user_namespace *owner_user_ns to the tty_struct.
> >>>>> Then it is set to current_user_ns() in the alloc_tty_struct function.
> >>>>>
> >>>>> This is done to facilitate capability checks against the original user
> >>>>> namespace that allocated the tty.
> >>>>>
> >>>>> E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN)
> >>>>>
> >>>>> This combined with the use of user namespace's will allow hardening
> >>>>> protections to be built to mitigate container escapes that utilize TTY
> >>>>> ioctls such as TIOCSTI.
> >>>>>
> >>>>> See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256
> >>>>>
> >>>>> Signed-off-by: Matt Brown <matt@nmatt.com>
> >>>>
> >>>>
> >>>> Acked-by: Serge Hallyn <serge@hallyn.com>
> >>>
> >>>
> >>> This Ack didn't end up in the v5, but I think it stands, yes?
> >>>
> >>> Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews
> >>> included be preferred?
> >>
> >>
> >> v6 would be great, and we are dropping patch 2 from the series, right?
> >> I was expecting this to be resent. I'll start looking at new patches
> >> like this after 4.12-rc1 is out.
> >>
> >
> > I will create a v6 with the Acks/Reviews. I'd like to keep patch 2 in
> > since that got acked by at least Serge. (Kees also? or just patch 1?)
>
> Sorry, I meant that patch 2's ack from serge got dropped accidentally.
> i.e. he Acked v4, but it wasn't in v5.
>
> Serge, just to double-check, does your Ack stand?
Yes.
thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-05-04 4:42 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-24 5:15 [kernel-hardening] [PATCH v4 0/2] tiocsti-restrict : make TIOCSTI ioctl require CAP_SYS_ADMIN Matt Brown
2017-04-24 5:15 ` Matt Brown
2017-04-24 5:15 ` Matt Brown
2017-04-24 5:15 ` [kernel-hardening] [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct Matt Brown
2017-04-24 5:15 ` Matt Brown
2017-04-24 5:15 ` Matt Brown
2017-04-24 13:57 ` [kernel-hardening] " Serge E. Hallyn
2017-04-24 13:57 ` Serge E. Hallyn
2017-04-24 13:57 ` Serge E. Hallyn
2017-05-03 19:32 ` [kernel-hardening] " Kees Cook
2017-05-03 19:32 ` Kees Cook
2017-05-03 19:32 ` Kees Cook
2017-05-03 19:45 ` [kernel-hardening] " Greg KH
2017-05-03 19:45 ` Greg KH
2017-05-03 19:45 ` Greg KH
2017-05-03 20:02 ` [kernel-hardening] " Matt Brown
2017-05-03 20:02 ` Matt Brown
2017-05-03 20:02 ` Matt Brown
2017-05-03 20:19 ` [kernel-hardening] " Kees Cook
2017-05-03 20:19 ` Kees Cook
2017-05-03 20:19 ` Kees Cook
2017-05-04 4:42 ` Serge E. Hallyn [this message]
2017-05-04 4:42 ` [kernel-hardening] " Serge E. Hallyn
2017-04-25 14:55 ` Alan Cox
2017-04-25 14:55 ` Alan Cox
2017-04-25 14:55 ` Alan Cox
2017-04-24 5:15 ` [kernel-hardening] [PATCH v4 2/2] tiocsti-restrict : make TIOCSTI ioctl require CAP_SYS_ADMIN Matt Brown
2017-04-24 5:15 ` Matt Brown
2017-04-24 5:15 ` Matt Brown
2017-04-24 13:59 ` [kernel-hardening] " Serge E. Hallyn
2017-04-24 13:59 ` Serge E. Hallyn
2017-04-24 13:59 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170504044206.GA18463@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=jslaby@suse.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matt@nmatt.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.