Re: [kernel-hardening] Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct

On Wed, May 03, 2017 at 01:19:41PM -0700, Kees Cook wrote: > On Wed, May 3, 2017 at 1:02 PM, Matt Brown wrote: > > On 05/03/2017 03:45 PM, Greg KH wrote: > >> > >> On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: > >>> > >>> On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn > >>> wrote:

Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct

On Wed, May 3, 2017 at 1:02 PM, Matt Brown wrote: > On 05/03/2017 03:45 PM, Greg KH wrote: >> >> On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: >>> >>> On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn >>> wrote: Quoting Matt Brown (m...@nmatt.com): > > This patch add

Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct

On 05/03/2017 03:45 PM, Greg KH wrote: On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn wrote: Quoting Matt Brown (m...@nmatt.com): This patch adds struct user_namespace *owner_user_ns to the tty_struct. Then it is set to current_user

Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct

On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: > On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn wrote: > > Quoting Matt Brown (m...@nmatt.com): > >> This patch adds struct user_namespace *owner_user_ns to the tty_struct. > >> Then it is set to current_user_ns() in the alloc_tty_struc

Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct

On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn wrote: > Quoting Matt Brown (m...@nmatt.com): >> This patch adds struct user_namespace *owner_user_ns to the tty_struct. >> Then it is set to current_user_ns() in the alloc_tty_struct function. >> >> This is done to facilitate capability checks agai

Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct

On Mon, 24 Apr 2017 01:15:11 -0400 Matt Brown wrote: > This patch adds struct user_namespace *owner_user_ns to the tty_struct. > Then it is set to current_user_ns() in the alloc_tty_struct function. > > This is done to facilitate capability checks against the original user > namespace that alloc

Re: [PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct

Quoting Matt Brown (m...@nmatt.com): > This patch adds struct user_namespace *owner_user_ns to the tty_struct. > Then it is set to current_user_ns() in the alloc_tty_struct function. > > This is done to facilitate capability checks against the original user > namespace that allocated the tty. > >

[PATCH v4 1/2] tiocsti-restrict : Add owner user namespace to tty_struct

This patch adds struct user_namespace *owner_user_ns to the tty_struct. Then it is set to current_user_ns() in the alloc_tty_struct function. This is done to facilitate capability checks against the original user namespace that allocated the tty. E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN)