| Message ID | 20170424051512.20420-2-matt@nmatt.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Quoting Matt Brown (matt@nmatt.com): > This patch adds struct user_namespace *owner_user_ns to the tty_struct. > Then it is set to current_user_ns() in the alloc_tty_struct function. > > This is done to facilitate capability checks against the original user > namespace that allocated the tty. > > E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) > > This combined with the use of user namespace's will allow hardening > protections to be built to mitigate container escapes that utilize TTY > ioctls such as TIOCSTI. > > See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 > > Signed-off-by: Matt Brown <matt@nmatt.com> Acked-by: Serge Hallyn <serge@hallyn.com> > --- > drivers/tty/tty_io.c | 2 ++ > include/linux/tty.h | 2 ++ > 2 files changed, 4 insertions(+) > > diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c > index e6d1a65..c276814 100644 > --- a/drivers/tty/tty_io.c > +++ b/drivers/tty/tty_io.c > @@ -171,6 +171,7 @@ static void free_tty_struct(struct tty_struct *tty) > put_device(tty->dev); > kfree(tty->write_buf); > tty->magic = 0xDEADDEAD; > + put_user_ns(tty->owner_user_ns); > kfree(tty); > } > > @@ -3191,6 +3192,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) > tty->index = idx; > tty_line_name(driver, idx, tty->name); > tty->dev = tty_get_device(tty); > + tty->owner_user_ns = get_user_ns(current_user_ns()); > > return tty; > } > diff --git a/include/linux/tty.h b/include/linux/tty.h > index 1017e904..d902d42 100644 > --- a/include/linux/tty.h > +++ b/include/linux/tty.h > @@ -12,6 +12,7 @@ > #include <uapi/linux/tty.h> > #include <linux/rwsem.h> > #include <linux/llist.h> > +#include <linux/user_namespace.h> > > > /* > @@ -333,6 +334,7 @@ struct tty_struct { > /* If the tty has a pending do_SAK, queue it here - akpm */ > struct work_struct SAK_work; > struct tty_port *port; > + struct user_namespace *owner_user_ns; > }; > > /* Each of a tty's open files has private_data pointing to tty_file_private */ > -- > 2.10.2 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, 24 Apr 2017 01:15:11 -0400 Matt Brown <matt@nmatt.com> wrote: > This patch adds struct user_namespace *owner_user_ns to the tty_struct. > Then it is set to current_user_ns() in the alloc_tty_struct function. > > This is done to facilitate capability checks against the original user > namespace that allocated the tty. > > E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) > > This combined with the use of user namespace's will allow hardening > protections to be built to mitigate container escapes that utilize TTY > ioctls such as TIOCSTI. Regardles of the TIOCSTI usefulness this makes complete sense. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <serge@hallyn.com> wrote: > Quoting Matt Brown (matt@nmatt.com): >> This patch adds struct user_namespace *owner_user_ns to the tty_struct. >> Then it is set to current_user_ns() in the alloc_tty_struct function. >> >> This is done to facilitate capability checks against the original user >> namespace that allocated the tty. >> >> E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) >> >> This combined with the use of user namespace's will allow hardening >> protections to be built to mitigate container escapes that utilize TTY >> ioctls such as TIOCSTI. >> >> See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 >> >> Signed-off-by: Matt Brown <matt@nmatt.com> > > Acked-by: Serge Hallyn <serge@hallyn.com> This Ack didn't end up in the v5, but I think it stands, yes? Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews included be preferred? -Kees > >> --- >> drivers/tty/tty_io.c | 2 ++ >> include/linux/tty.h | 2 ++ >> 2 files changed, 4 insertions(+) >> >> diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c >> index e6d1a65..c276814 100644 >> --- a/drivers/tty/tty_io.c >> +++ b/drivers/tty/tty_io.c >> @@ -171,6 +171,7 @@ static void free_tty_struct(struct tty_struct *tty) >> put_device(tty->dev); >> kfree(tty->write_buf); >> tty->magic = 0xDEADDEAD; >> + put_user_ns(tty->owner_user_ns); >> kfree(tty); >> } >> >> @@ -3191,6 +3192,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) >> tty->index = idx; >> tty_line_name(driver, idx, tty->name); >> tty->dev = tty_get_device(tty); >> + tty->owner_user_ns = get_user_ns(current_user_ns()); >> >> return tty; >> } >> diff --git a/include/linux/tty.h b/include/linux/tty.h >> index 1017e904..d902d42 100644 >> --- a/include/linux/tty.h >> +++ b/include/linux/tty.h >> @@ -12,6 +12,7 @@ >> #include <uapi/linux/tty.h> >> #include <linux/rwsem.h> >> #include <linux/llist.h> >> +#include <linux/user_namespace.h> >> >> >> /* >> @@ -333,6 +334,7 @@ struct tty_struct { >> /* If the tty has a pending do_SAK, queue it here - akpm */ >> struct work_struct SAK_work; >> struct tty_port *port; >> + struct user_namespace *owner_user_ns; >> }; >> >> /* Each of a tty's open files has private_data pointing to tty_file_private */ >> -- >> 2.10.2
On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: > On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <serge@hallyn.com> wrote: > > Quoting Matt Brown (matt@nmatt.com): > >> This patch adds struct user_namespace *owner_user_ns to the tty_struct. > >> Then it is set to current_user_ns() in the alloc_tty_struct function. > >> > >> This is done to facilitate capability checks against the original user > >> namespace that allocated the tty. > >> > >> E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) > >> > >> This combined with the use of user namespace's will allow hardening > >> protections to be built to mitigate container escapes that utilize TTY > >> ioctls such as TIOCSTI. > >> > >> See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 > >> > >> Signed-off-by: Matt Brown <matt@nmatt.com> > > > > Acked-by: Serge Hallyn <serge@hallyn.com> > > This Ack didn't end up in the v5, but I think it stands, yes? > > Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews > included be preferred? v6 would be great, and we are dropping patch 2 from the series, right? I was expecting this to be resent. I'll start looking at new patches like this after 4.12-rc1 is out. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 05/03/2017 03:45 PM, Greg KH wrote: > On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: >> On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <serge@hallyn.com> wrote: >>> Quoting Matt Brown (matt@nmatt.com): >>>> This patch adds struct user_namespace *owner_user_ns to the tty_struct. >>>> Then it is set to current_user_ns() in the alloc_tty_struct function. >>>> >>>> This is done to facilitate capability checks against the original user >>>> namespace that allocated the tty. >>>> >>>> E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) >>>> >>>> This combined with the use of user namespace's will allow hardening >>>> protections to be built to mitigate container escapes that utilize TTY >>>> ioctls such as TIOCSTI. >>>> >>>> See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 >>>> >>>> Signed-off-by: Matt Brown <matt@nmatt.com> >>> >>> Acked-by: Serge Hallyn <serge@hallyn.com> >> >> This Ack didn't end up in the v5, but I think it stands, yes? >> >> Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews >> included be preferred? > > v6 would be great, and we are dropping patch 2 from the series, right? > I was expecting this to be resent. I'll start looking at new patches > like this after 4.12-rc1 is out. > I will create a v6 with the Acks/Reviews. I'd like to keep patch 2 in since that got acked by at least Serge. (Kees also? or just patch 1?) > thanks, > > greg k-h > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, May 3, 2017 at 1:02 PM, Matt Brown <matt@nmatt.com> wrote: > On 05/03/2017 03:45 PM, Greg KH wrote: >> >> On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: >>> >>> On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <serge@hallyn.com> >>> wrote: >>>> >>>> Quoting Matt Brown (matt@nmatt.com): >>>>> >>>>> This patch adds struct user_namespace *owner_user_ns to the tty_struct. >>>>> Then it is set to current_user_ns() in the alloc_tty_struct function. >>>>> >>>>> This is done to facilitate capability checks against the original user >>>>> namespace that allocated the tty. >>>>> >>>>> E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) >>>>> >>>>> This combined with the use of user namespace's will allow hardening >>>>> protections to be built to mitigate container escapes that utilize TTY >>>>> ioctls such as TIOCSTI. >>>>> >>>>> See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 >>>>> >>>>> Signed-off-by: Matt Brown <matt@nmatt.com> >>>> >>>> >>>> Acked-by: Serge Hallyn <serge@hallyn.com> >>> >>> >>> This Ack didn't end up in the v5, but I think it stands, yes? >>> >>> Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews >>> included be preferred? >> >> >> v6 would be great, and we are dropping patch 2 from the series, right? >> I was expecting this to be resent. I'll start looking at new patches >> like this after 4.12-rc1 is out. >> > > I will create a v6 with the Acks/Reviews. I'd like to keep patch 2 in > since that got acked by at least Serge. (Kees also? or just patch 1?) Sorry, I meant that patch 2's ack from serge got dropped accidentally. i.e. he Acked v4, but it wasn't in v5. Serge, just to double-check, does your Ack stand? -Kees
On Wed, May 03, 2017 at 01:19:41PM -0700, Kees Cook wrote: > On Wed, May 3, 2017 at 1:02 PM, Matt Brown <matt@nmatt.com> wrote: > > On 05/03/2017 03:45 PM, Greg KH wrote: > >> > >> On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: > >>> > >>> On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <serge@hallyn.com> > >>> wrote: > >>>> > >>>> Quoting Matt Brown (matt@nmatt.com): > >>>>> > >>>>> This patch adds struct user_namespace *owner_user_ns to the tty_struct. > >>>>> Then it is set to current_user_ns() in the alloc_tty_struct function. > >>>>> > >>>>> This is done to facilitate capability checks against the original user > >>>>> namespace that allocated the tty. > >>>>> > >>>>> E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) > >>>>> > >>>>> This combined with the use of user namespace's will allow hardening > >>>>> protections to be built to mitigate container escapes that utilize TTY > >>>>> ioctls such as TIOCSTI. > >>>>> > >>>>> See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 > >>>>> > >>>>> Signed-off-by: Matt Brown <matt@nmatt.com> > >>>> > >>>> > >>>> Acked-by: Serge Hallyn <serge@hallyn.com> > >>> > >>> > >>> This Ack didn't end up in the v5, but I think it stands, yes? > >>> > >>> Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews > >>> included be preferred? > >> > >> > >> v6 would be great, and we are dropping patch 2 from the series, right? > >> I was expecting this to be resent. I'll start looking at new patches > >> like this after 4.12-rc1 is out. > >> > > > > I will create a v6 with the Acks/Reviews. I'd like to keep patch 2 in > > since that got acked by at least Serge. (Kees also? or just patch 1?) > > Sorry, I meant that patch 2's ack from serge got dropped accidentally. > i.e. he Acked v4, but it wasn't in v5. > > Serge, just to double-check, does your Ack stand? Yes. thanks, -serge -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index e6d1a65..c276814 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -171,6 +171,7 @@ static void free_tty_struct(struct tty_struct *tty) put_device(tty->dev); kfree(tty->write_buf); tty->magic = 0xDEADDEAD; + put_user_ns(tty->owner_user_ns); kfree(tty); } @@ -3191,6 +3192,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) tty->index = idx; tty_line_name(driver, idx, tty->name); tty->dev = tty_get_device(tty); + tty->owner_user_ns = get_user_ns(current_user_ns()); return tty; } diff --git a/include/linux/tty.h b/include/linux/tty.h index 1017e904..d902d42 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -12,6 +12,7 @@ #include <uapi/linux/tty.h> #include <linux/rwsem.h> #include <linux/llist.h> +#include <linux/user_namespace.h> /* @@ -333,6 +334,7 @@ struct tty_struct { /* If the tty has a pending do_SAK, queue it here - akpm */ struct work_struct SAK_work; struct tty_port *port; + struct user_namespace *owner_user_ns; }; /* Each of a tty's open files has private_data pointing to tty_file_private */
This patch adds struct user_namespace *owner_user_ns to the tty_struct. Then it is set to current_user_ns() in the alloc_tty_struct function. This is done to facilitate capability checks against the original user namespace that allocated the tty. E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) This combined with the use of user namespace's will allow hardening protections to be built to mitigate container escapes that utilize TTY ioctls such as TIOCSTI. See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 Signed-off-by: Matt Brown <matt@nmatt.com> --- drivers/tty/tty_io.c | 2 ++ include/linux/tty.h | 2 ++ 2 files changed, 4 insertions(+)