Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932997AbdDQGHo (ORCPT ); Mon, 17 Apr 2017 02:07:44 -0400 Received: from relay2-d.mail.gandi.net ([217.70.183.194]:52099 "EHLO relay2-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932647AbdDQGHm (ORCPT ); Mon, 17 Apr 2017 02:07:42 -0400 X-Originating-IP: 72.66.113.207 From: Matt Brown To: jmorris@namei.org, gregkh@linuxfoundation.org, akpm@linux-foundation.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Patchset to Restrict Unprivileged TIOCSTI TTY Command Injection Date: Mon, 17 Apr 2017 02:07:02 -0400 Message-Id: <20170417060706.28674-1-matt@nmatt.com> X-Mailer: git-send-email 2.10.2 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 855 Lines: 14 The following patchset reproduces GRKERNSEC_HARDEN_TTY functionality from the grsecurity project in-kernel. The purpose of this feature is to restrict unprivileged users from injecting commands into other processes in the same tty session by using the TIOCSTI ioctl. It creates the kernel config SECURITY_TIOCSTI_RESTRICT and the sysctl kernel.tiocsti_restrict to control this feature. I modeled most of the code style and naming conventions off of SECURITY_DMESG_RESTRICT. drivers/tty/tty_io.c | 4 ++++ include/linux/tty.h | 2 ++ kernel/sysctl.c | 12 ++++++++++++ security/Kconfig | 12 ++++++++++++ 4 files changed, 30 insertions(+) [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config [PATCH 2/4] add tiocsti_restrict variable [PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl [PATCH 4/4] added kernel.tiocsti_restrict sysctl