From: matt@nmatt.com (Matt Brown)
To: linux-security-module@vger.kernel.org
Subject: Patchset to Restrict Unprivileged TIOCSTI TTY Command Injection
Date: Mon, 17 Apr 2017 02:07:02 -0400 [thread overview]
Message-ID: <20170417060706.28674-1-matt@nmatt.com> (raw)
The following patchset reproduces GRKERNSEC_HARDEN_TTY functionality from the grsecurity project in-kernel. The purpose of this feature is to restrict unprivileged users from injecting commands into other processes in the same tty session by using the TIOCSTI ioctl.
It creates the kernel config SECURITY_TIOCSTI_RESTRICT and the sysctl kernel.tiocsti_restrict to control this feature. I modeled most of the code style and naming conventions off of SECURITY_DMESG_RESTRICT.
drivers/tty/tty_io.c | 4 ++++
include/linux/tty.h | 2 ++
kernel/sysctl.c | 12 ++++++++++++
security/Kconfig | 12 ++++++++++++
4 files changed, 30 insertions(+)
[PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config
[PATCH 2/4] add tiocsti_restrict variable
[PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl
[PATCH 4/4] added kernel.tiocsti_restrict sysctl
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next reply other threads:[~2017-04-17 6:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-17 6:07 Matt Brown [this message]
2017-04-17 6:07 ` [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config Matt Brown
2017-04-17 6:50 ` Greg KH
2017-04-18 4:29 ` Matt Brown
2017-04-18 13:40 ` Alan Cox
2017-04-18 15:49 ` [kernel-hardening] " Kees Cook
2017-04-17 6:07 ` [PATCH 2/4] add tiocsti_restrict variable Matt Brown
2017-04-17 6:51 ` Greg KH
2017-04-17 6:07 ` [PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl Matt Brown
2017-04-17 6:53 ` Greg KH
2017-04-17 14:18 ` [kernel-hardening] " Jann Horn
2017-04-17 16:18 ` Matt Brown
2017-04-17 6:07 ` [PATCH 4/4] added kernel.tiocsti_restrict sysctl Matt Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170417060706.28674-1-matt@nmatt.com \
--to=matt@nmatt.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).