[CRIU] RFC: Add owner user namespace to tty_struct
Matt Brown
matt at nmatt.com
Fri May 26 13:50:01 PDT 2017
Hello All,
I'm currently attempting to upstream a patch from the grsecurity project to the
Linux kernel that makes the TIOCSTI ioctl require CAP_SYS_ADMIN.
See mailing list for reference:
http://www.openwall.com/lists/kernel-hardening/2017/05/05/20
In order to make this feature respect user namespaces, I first introduce an
infrastructure change that adds "struct user_namespace *owner_user_ns" to
tty_struct. Then in my second patch, I introduce the tiocsti_restrict sysctl
which, when activated, requires that a process have the CAP_SYS_ADMIN capability
in the user namespace which originally created the tty/pty.
patch that adds owner user namespace to tty_struct:
http://www.openwall.com/lists/kernel-hardening/2017/05/05/21
patch that makes TIOCSTI ioctl require CAP_SYS_ADMIN:
http://www.openwall.com/lists/kernel-hardening/2017/05/05/22
The issue was raised in the kernel hardening mailing list about if this would
affect criu, and if I need to provide a method for exposing the owner_user_ns
that corresponds to a given tty/pty.
If I do need to expose this information, do you have any suggestions on how best
to do it in order to make it easy for criu to integrate these changes?
Thanks,
Matt Brown
More information about the CRIU
mailing list