Re: [kernel-hardening] Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-18 Thread Kees Cook
On Tue, Apr 18, 2017 at 6:40 AM, Alan Cox wrote: >> Since tty sessions are usually separated by different users, how would >> they have the same one and yet need something like this? >> >> Also, why not put this in the tty config section? > > The normal attack use case

Re: [kernel-hardening] Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-18 Thread Kees Cook
On Tue, Apr 18, 2017 at 6:40 AM, Alan Cox wrote: >> Since tty sessions are usually separated by different users, how would >> they have the same one and yet need something like this? >> >> Also, why not put this in the tty config section? > > The normal attack use case people argue about is a

Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-18 Thread Alan Cox
> Since tty sessions are usually separated by different users, how would > they have the same one and yet need something like this? > > Also, why not put this in the tty config section? The normal attack use case people argue about is a rogue process on the users machine sitting there waiting

Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-18 Thread Alan Cox
> Since tty sessions are usually separated by different users, how would > they have the same one and yet need something like this? > > Also, why not put this in the tty config section? The normal attack use case people argue about is a rogue process on the users machine sitting there waiting

Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-17 Thread Matt Brown
On 04/17/2017 02:50 AM, Greg KH wrote: On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote: adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow the user to restrict unprivileged command injection using TIOCSTI tty ioctls "unpriviledged command injection"? That sounds

Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-17 Thread Matt Brown
On 04/17/2017 02:50 AM, Greg KH wrote: On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote: adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow the user to restrict unprivileged command injection using TIOCSTI tty ioctls "unpriviledged command injection"? That sounds

Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-17 Thread Greg KH
On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote: > adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow > the user to restrict unprivileged command injection using TIOCSTI > tty ioctls "unpriviledged command injection"? That sounds a bit "odd", don't you think? > >

Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-17 Thread Greg KH
On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote: > adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow > the user to restrict unprivileged command injection using TIOCSTI > tty ioctls "unpriviledged command injection"? That sounds a bit "odd", don't you think? > >

[PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-17 Thread Matt Brown
adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow the user to restrict unprivileged command injection using TIOCSTI tty ioctls Signed-off-by: Matt Brown --- security/Kconfig | 12 1 file changed, 12 insertions(+) diff --git a/security/Kconfig

[PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

2017-04-17 Thread Matt Brown
adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow the user to restrict unprivileged command injection using TIOCSTI tty ioctls Signed-off-by: Matt Brown --- security/Kconfig | 12 1 file changed, 12 insertions(+) diff --git a/security/Kconfig b/security/Kconfig