Re: [kernel-hardening] Re: [PATCH v7 2/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

From: Matt Brown
Date: Tue May 30 2017 - 19:59:30 EST


On 5/30/17 7:40 PM, Daniel Micay wrote:
> On Tue, 2017-05-30 at 19:00 -0400, Matt Brown wrote:
>> On 5/30/17 4:22 PM, Daniel Micay wrote:
>>>> Thanks, I didn't know that android was doing this. I still think
>>>> this
>>>> feature
>>>> is worthwhile for people to be able to harden their systems
>>>> against
>>>> this attack
>>>> vector without having to implement a MAC.
>>>
>>> Since there's a capable LSM hook for ioctl already, it means it
>>> could go
>>> in Yama with ptrace_scope but core kernel code would still need to
>>> be
>>> changed to track the owning tty. I think Yama vs. core kernel
>>> shouldn't
>>> matter much anymore due to stackable LSMs.
>>>
>>
>> What does everyone think about a v8 that moves this feature under Yama
>> and uses
>> the file_ioctl LSM hook?
>
> It would only make a difference if it could be fully contained there, as
> in not depending on tracking the tty owner.
>

For the reasons discussed earlier (to allow for nested containers where one of
the containers is privileged) we want to track the user namespace that owns the tty.