MIN)
This combined with the use of user namespace's will allow hardening
protections to be built to mitigate container escapes that utilize TTY
ioctls such as TIOCSTI.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256
Signed-off-by: Matt Brown
---
drivers/tty/tty_io.c | 1 +
inclu
indeed shared over privilege boundaries.
This is also an excellent writeup about the issue:
<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/>
When user namespaces are in use, the check for the capability
CAP_SYS_ADMIN is done against the user namespace that originally o
On 04/23/2017 01:02 PM, Jann Horn wrote:
On Sun, Apr 23, 2017 at 9:24 AM, Matt Brown wrote:
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to current_user_ns() in the alloc_tty_struct function.
This is done to facilitate capability checks against the
This patchset introduces the tiocsti_restrict sysctl, whose default is
controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this
control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
This patch was inspired from GRKERNSEC_HARDEN_TTY.
This patch would have prevented
h
MIN)
This combined with the use of user namespace's will allow hardening
protections to be built to mitigate container escapes that utilize TTY
ioctls such as TIOCSTI.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256
Signed-off-by: Matt Brown
---
drivers/tty/tty_io.c | 4
inclu
indeed shared over privilege boundaries.
This is also an excellent writeup about the issue:
<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/>
When user namespaces are in use, the check for the capability
CAP_SYS_ADMIN is done against the user namespace that originally o
On 04/23/2017 09:09 PM, Serge E. Hallyn wrote:
Quoting Matt Brown (m...@nmatt.com):
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to current_user_ns() in the alloc_tty_struct function.
This is done to facilitate capability checks against the original
This patchset introduces the tiocsti_restrict sysctl, whose default is
controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this
control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
This patch was inspired from GRKERNSEC_HARDEN_TTY.
This patch would have prevented
h
er namespace that originally opened
the tty.
Signed-off-by: Matt Brown
---
Documentation/sysctl/kernel.txt | 21 +
drivers/tty/tty_io.c| 6 ++
include/linux/tty.h | 2 ++
kernel/sysctl.c | 12
security/Kconfig
MIN)
This combined with the use of user namespace's will allow hardening
protections to be built to mitigate container escapes that utilize TTY
ioctls such as TIOCSTI.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256
Signed-off-by: Matt Brown
---
drivers/tty/tty_io.c | 2 ++
inclu
This patchset introduces the tiocsti_restrict sysctl, whose default is
controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this
control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
This patch was inspired from GRKERNSEC_HARDEN_TTY.
This patch would have prevented
h
er namespace that originally opened
the tty.
Signed-off-by: Matt Brown
---
Documentation/sysctl/kernel.txt | 21 +
drivers/tty/tty_io.c| 6 ++
include/linux/tty.h | 2 ++
kernel/sysctl.c | 12
security/Kconfig
MIN)
This combined with the use of user namespace's will allow hardening
protections to be built to mitigate container escapes that utilize TTY
ioctls such as TIOCSTI.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256
Signed-off-by: Matt Brown
---
drivers/tty/tty_io.c | 2 ++
inclu
On 04/26/2017 08:47 AM, One Thousand Gnomes wrote:
open() what? As far as I know, for System-V PTYs, there is no path you can
open() that will give you the PTY master. Am I missing something?
Sorry brain fade - no.
If I want to do the equvalent of the TIOCSTI attack then I fork a process
and
On 05/03/2017 03:45 PM, Greg KH wrote:
On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote:
On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn wrote:
Quoting Matt Brown (m...@nmatt.com):
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to
15 matches
Mail list logo
