[CRIU] RFC: Add owner user namespace to tty_struct
Pavel Emelyanov
xemul at virtuozzo.com
Mon May 29 02:43:52 PDT 2017
On 05/29/2017 12:31 PM, Cyrill Gorcunov wrote:
> On Fri, May 26, 2017 at 04:50:01PM -0400, Matt Brown wrote:
>> Hello All,
>>
>> I'm currently attempting to upstream a patch from the grsecurity project to the
>> Linux kernel that makes the TIOCSTI ioctl require CAP_SYS_ADMIN.
>>
>> See mailing list for reference:
>> http://www.openwall.com/lists/kernel-hardening/2017/05/05/20
>>
>> In order to make this feature respect user namespaces, I first introduce an
>> infrastructure change that adds "struct user_namespace *owner_user_ns" to
>> tty_struct. Then in my second patch, I introduce the tiocsti_restrict sysctl
>> which, when activated, requires that a process have the CAP_SYS_ADMIN capability
>> in the user namespace which originally created the tty/pty.
>>
>> patch that adds owner user namespace to tty_struct:
>> http://www.openwall.com/lists/kernel-hardening/2017/05/05/21
>>
>> patch that makes TIOCSTI ioctl require CAP_SYS_ADMIN:
>> http://www.openwall.com/lists/kernel-hardening/2017/05/05/22
>>
>> The issue was raised in the kernel hardening mailing list about if this would
>> affect criu, and if I need to provide a method for exposing the owner_user_ns
>> that corresponds to a given tty/pty.
>>
>> If I do need to expose this information, do you have any suggestions on how best
>> to do it in order to make it easy for criu to integrate these changes?
>
> Hi Matt! Currently we don't use fake input in criu so at moment it won't
> affect us anyhow, but in longterm I expect more owner_user_ns testing may
> appear. Thus we will need to know which owner tty belong to. I think we
> may extend tty_fops and use show_fdinfo method to print owner_user_ns.
We have similar problem with net_device:net pairing and with userns:<any other ns>
one -- we need to know which object belongs to which. For the net_device:net case
there has appeared a netdev ioctl, that results in an opened namespace file, just
like if we did open("/proc/pid/ns/net"). I think the same API would be more convenient
for tty:userns. All the more so there's already plenty of ioctls for ttys :)
-- Pavel
More information about the CRIU
mailing list