Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1948531AbdDYO4K (ORCPT ); Tue, 25 Apr 2017 10:56:10 -0400 Received: from www.llwyncelyn.cymru ([82.70.14.225]:58416 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1948491AbdDYO4A (ORCPT ); Tue, 25 Apr 2017 10:56:00 -0400 Date: Tue, 25 Apr 2017 15:55:21 +0100 From: Alan Cox To: Matt Brown Cc: serge@hallyn.com, jmorris@namei.org, gregkh@linuxfoundation.org, jslaby@suse.com, corbet@lwn.net, keescook@chromium.org, akpm@linux-foundation.org, jannh@google.com, kernel-hardening@lists.openwall.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org Subject: Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct Message-ID: <20170425155521.03b393de@lxorguk.ukuu.org.uk> In-Reply-To: <20170424051512.20420-2-matt@nmatt.com> References: <20170424051512.20420-1-matt@nmatt.com> <20170424051512.20420-2-matt@nmatt.com> Organization: Intel Corporation X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 626 Lines: 18 On Mon, 24 Apr 2017 01:15:11 -0400 Matt Brown wrote: > This patch adds struct user_namespace *owner_user_ns to the tty_struct. > Then it is set to current_user_ns() in the alloc_tty_struct function. > > This is done to facilitate capability checks against the original user > namespace that allocated the tty. > > E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) > > This combined with the use of user namespace's will allow hardening > protections to be built to mitigate container escapes that utilize TTY > ioctls such as TIOCSTI. Regardles of the TIOCSTI usefulness this makes complete sense. Alan