On 04/24/17 at 11:53am, Dou Liyang wrote:
>
>
> At 04/24/2017 10:40 AM, Baoquan He wrote:
> > In commit:
> >
> > 9710f581bb4c ("x86, mm: Let "memmap=" take more entries one time")
> >
> > ... 'memmap=' was changed to adopt multiple, comma delimited values in a
> > single entry, so update the
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to current_user_ns() in the alloc_tty_struct function.
This is done to facilitate capability checks against the original user
namespace that allocated the tty.
E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN)
This introduces the tiocsti_restrict sysctl, whose default is controlled via
CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control restricts
all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
This patch depends on patch 1/2
This patch was inspired from GRKERNSEC_HARDEN_TTY.
This patc
This patchset introduces the tiocsti_restrict sysctl, whose default is
controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this
control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
This patch was inspired from GRKERNSEC_HARDEN_TTY.
This patch would have prevented
h
At 04/24/2017 10:40 AM, Baoquan He wrote:
In commit:
9710f581bb4c ("x86, mm: Let "memmap=" take more entries one time")
... 'memmap=' was changed to adopt multiple, comma delimited values in a
single entry, so update the related description.
In the special case of only specifying size valu
Quoting Matt Brown (m...@nmatt.com):
> This introduces the tiocsti_restrict sysctl, whose default is controlled via
> CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control restricts
> all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>
> This patch was inspired from GRKERNSEC_HARDEN_T
Quoting Matt Brown (m...@nmatt.com):
> On 04/23/2017 09:09 PM, Serge E. Hallyn wrote:
> >Quoting Matt Brown (m...@nmatt.com):
> >>This patch adds struct user_namespace *owner_user_ns to the tty_struct.
> >>Then it is set to current_user_ns() in the alloc_tty_struct function.
> >>
> >>This is done t
On 04/23/2017 09:09 PM, Serge E. Hallyn wrote:
Quoting Matt Brown (m...@nmatt.com):
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to current_user_ns() in the alloc_tty_struct function.
This is done to facilitate capability checks against the original use
In commit:
9710f581bb4c ("x86, mm: Let "memmap=" take more entries one time")
... 'memmap=' was changed to adopt multiple, comma delimited values in a
single entry, so update the related description.
In the special case of only specifying size value without an offset,
like memmap=nn[KMG], memm
Quoting Matt Brown (m...@nmatt.com):
> This patch adds struct user_namespace *owner_user_ns to the tty_struct.
> Then it is set to current_user_ns() in the alloc_tty_struct function.
>
> This is done to facilitate capability checks against the original user
> namespace that allocated the tty.
>
>
This introduces the tiocsti_restrict sysctl, whose default is controlled via
CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control restricts
all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
This patch was inspired from GRKERNSEC_HARDEN_TTY.
This patch would have prevented
https://bu
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to current_user_ns() in the alloc_tty_struct function.
This is done to facilitate capability checks against the original user
namespace that allocated the tty.
E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN)
This patchset introduces the tiocsti_restrict sysctl, whose default is
controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this
control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
This patch was inspired from GRKERNSEC_HARDEN_TTY.
This patch would have prevented
h
On Sun, Apr 23, 2017 at 10:23 PM, Matt Brown wrote:
> On 04/23/2017 01:02 PM, Jann Horn wrote:
>>
>> On Sun, Apr 23, 2017 at 9:24 AM, Matt Brown wrote:
>>>
>>> This patch adds struct user_namespace *owner_user_ns to the tty_struct.
>>> Then it is set to current_user_ns() in the alloc_tty_struct f
On 04/23/2017 01:02 PM, Jann Horn wrote:
On Sun, Apr 23, 2017 at 9:24 AM, Matt Brown wrote:
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to current_user_ns() in the alloc_tty_struct function.
This is done to facilitate capability checks against the ori
Signed-off-by: Marcos Paulo de Souza
---
v5 -> v6:
Resend v5, but now include a change into input_uapi.rst (added by Dmitry and
Mauro) to include the newly added uinput documentation.
v4 -> v5:
Fixed the way we detect the old interface of uinput (suggested by Peter)
v3 -> v4:
Add comment
On Sun, Apr 23, 2017 at 9:24 AM, Matt Brown wrote:
> This patch adds struct user_namespace *owner_user_ns to the tty_struct.
> Then it is set to current_user_ns() in the alloc_tty_struct function.
>
> This is done to facilitate capability checks against the original user
> namespace that allocated
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to current_user_ns() in the alloc_tty_struct function.
This is done to facilitate capability checks against the original user
namespace that allocated the tty.
E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN)
This introduces the tiocsti_restrict sysctl, whose default is controlled via
CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control restricts
all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
This patch was inspired from GRKERNSEC_HARDEN_TTY.
This patch would have prevented
https://bu
19 matches
Mail list logo
