On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote:
On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
Quoting Matt Brown (matt@xxxxxxxxx):
This patch adds struct user_namespace *owner_user_ns to the tty_struct.
Then it is set to current_user_ns() in the alloc_tty_struct function.
This is done to facilitate capability checks against the original user
namespace that allocated the tty.
This combined with the use of user namespace's will allow hardening
protections to be built to mitigate container escapes that utilize TTY
ioctls such as TIOCSTI.
Signed-off-by: Matt Brown <matt@xxxxxxxxx>
Acked-by: Serge Hallyn <serge@xxxxxxxxxx>
This Ack didn't end up in the v5, but I think it stands, yes?
Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews
included be preferred?
v6 would be great, and we are dropping patch 2 from the series, right?
I was expecting this to be resent. I'll start looking at new patches
like this after 4.12-rc1 is out.