On 5/30/17 7:40 PM, Daniel Micay wrote: > On Tue, 2017-05-30 at 19:00 -0400, Matt Brown wrote: >> On 5/30/17 4:22 PM, Daniel Micay wrote: >>>> Thanks, I didn't know that android was doing this. I still think >>>> this >>>> feature >>>> is worthwhile for people to be able to harden their systems >>>> against >>>> this attack >>>> vector without having to implement a MAC. >>> >>> Since there's a capable LSM hook for ioctl already, it means it >>> could go >>> in Yama with ptrace_scope but core kernel code would still need to >>> be >>> changed to track the owning tty. I think Yama vs. core kernel >>> shouldn't >>> matter much anymore due to stackable LSMs. >>> >> >> What does everyone think about a v8 that moves this feature under Yama >> and uses >> the file_ioctl LSM hook? > > It would only make a difference if it could be fully contained there, as > in not depending on tracking the tty owner. >
For the reasons discussed earlier (to allow for nested containers where one of the containers is privileged) we want to track the user namespace that owns the tty.
