From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751224AbdFBSST (ORCPT ); Fri, 2 Jun 2017 14:18:19 -0400 Received: from h2.hallyn.com ([78.46.35.8]:46290 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750966AbdFBSSQ (ORCPT ); Fri, 2 Jun 2017 14:18:16 -0400 Date: Fri, 2 Jun 2017 13:18:22 -0500 From: "Serge E. Hallyn" To: Matt Brown Cc: "Serge E. Hallyn" , Alan Cox , Kees Cook , Casey Schaufler , Boris Lukashev , Greg KH , "kernel-hardening@lists.openwall.com" , linux-security-module , linux-kernel , linux-api@vger.kernel.org Subject: Re: [kernel-hardening] Re: [PATCH v7 2/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN Message-ID: <20170602181822.GA5125@mail.hallyn.com> References: <20170531005633.484a2e14@alans-desktop> <20170601140812.583cf0a5@alans-desktop> <20170601222432.6f593538@lxorguk.ukuu.org.uk> <2d0ad49c-886e-1caf-771a-d251957f614c@nmatt.com> <20170602153647.GA2688@mail.hallyn.com> <20170602165732.GA3614@mail.hallyn.com> <3027e4fa-5dc2-a52f-8699-9974cb4d4b6b@nmatt.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3027e4fa-5dc2-a52f-8699-9974cb4d4b6b@nmatt.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Matt Brown (matt@nmatt.com): > On 6/2/17 12:57 PM, Serge E. Hallyn wrote: > > I'm not quite sure what you're asking for here. Let me offer a precise > > strawman design. I'm sure there are problems with it, it's just a starting > > point. > > > > system-wide whitelist (for now 'may_push_chars') is full by default. > > > > So is may_push_chars just an alias for TIOCSTI? Or are there some > potential whitelist members that would map to multiple ioctls? I'm seeing it as only TIOCSTI right now. > > By default, nothing changes - you can use those on your own tty, need > > CAP_SYS_ADMIN against init_user_ns otherwise. > > > > Introduce a new CAP_TTY_PRIVILEGED. > > > > I'm fine with this. > > > When may_push_chars is removed from the whitelist, you lose the ability > > to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED > > against the tty's user_ns. > > > > How do you propose storing/updating the whitelist? sysctl? > > If it is a sysctl, would each whitelist member have a sysctl? > e.g.: kernel.ioctlwhitelist.may_push_chars = 1 > > Overall, I'm fine with this idea. That sounds reasonable. Or a securityfs file - I guess not everyone has securityfs, but if it were to become part of YAMA then that would work. -serge From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: [kernel-hardening] Re: [PATCH v7 2/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN Date: Fri, 2 Jun 2017 13:18:22 -0500 Message-ID: <20170602181822.GA5125@mail.hallyn.com> References: <20170531005633.484a2e14@alans-desktop> <20170601140812.583cf0a5@alans-desktop> <20170601222432.6f593538@lxorguk.ukuu.org.uk> <2d0ad49c-886e-1caf-771a-d251957f614c@nmatt.com> <20170602153647.GA2688@mail.hallyn.com> <20170602165732.GA3614@mail.hallyn.com> <3027e4fa-5dc2-a52f-8699-9974cb4d4b6b@nmatt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <3027e4fa-5dc2-a52f-8699-9974cb4d4b6b-YiBOUZGZpYMAvxtiuMwx3w@public.gmane.org> Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Matt Brown Cc: "Serge E. Hallyn" , Alan Cox , Kees Cook , Casey Schaufler , Boris Lukashev , Greg KH , "kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org" , linux-security-module , linux-kernel , linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-api@vger.kernel.org Quoting Matt Brown (matt-YiBOUZGZpYMAvxtiuMwx3w@public.gmane.org): > On 6/2/17 12:57 PM, Serge E. Hallyn wrote: > > I'm not quite sure what you're asking for here. Let me offer a precise > > strawman design. I'm sure there are problems with it, it's just a starting > > point. > > > > system-wide whitelist (for now 'may_push_chars') is full by default. > > > > So is may_push_chars just an alias for TIOCSTI? Or are there some > potential whitelist members that would map to multiple ioctls? I'm seeing it as only TIOCSTI right now. > > By default, nothing changes - you can use those on your own tty, need > > CAP_SYS_ADMIN against init_user_ns otherwise. > > > > Introduce a new CAP_TTY_PRIVILEGED. > > > > I'm fine with this. > > > When may_push_chars is removed from the whitelist, you lose the ability > > to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED > > against the tty's user_ns. > > > > How do you propose storing/updating the whitelist? sysctl? > > If it is a sysctl, would each whitelist member have a sysctl? > e.g.: kernel.ioctlwhitelist.may_push_chars = 1 > > Overall, I'm fine with this idea. That sounds reasonable. Or a securityfs file - I guess not everyone has securityfs, but if it were to become part of YAMA then that would work. -serge From mboxrd@z Thu Jan 1 00:00:00 1970 From: serge@hallyn.com (Serge E. Hallyn) Date: Fri, 2 Jun 2017 13:18:22 -0500 Subject: [kernel-hardening] Re: [PATCH v7 2/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN In-Reply-To: <3027e4fa-5dc2-a52f-8699-9974cb4d4b6b@nmatt.com> References: <20170531005633.484a2e14@alans-desktop> <20170601140812.583cf0a5@alans-desktop> <20170601222432.6f593538@lxorguk.ukuu.org.uk> <2d0ad49c-886e-1caf-771a-d251957f614c@nmatt.com> <20170602153647.GA2688@mail.hallyn.com> <20170602165732.GA3614@mail.hallyn.com> <3027e4fa-5dc2-a52f-8699-9974cb4d4b6b@nmatt.com> Message-ID: <20170602181822.GA5125@mail.hallyn.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Quoting Matt Brown (matt at nmatt.com): > On 6/2/17 12:57 PM, Serge E. Hallyn wrote: > > I'm not quite sure what you're asking for here. Let me offer a precise > > strawman design. I'm sure there are problems with it, it's just a starting > > point. > > > > system-wide whitelist (for now 'may_push_chars') is full by default. > > > > So is may_push_chars just an alias for TIOCSTI? Or are there some > potential whitelist members that would map to multiple ioctls? I'm seeing it as only TIOCSTI right now. > > By default, nothing changes - you can use those on your own tty, need > > CAP_SYS_ADMIN against init_user_ns otherwise. > > > > Introduce a new CAP_TTY_PRIVILEGED. > > > > I'm fine with this. > > > When may_push_chars is removed from the whitelist, you lose the ability > > to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED > > against the tty's user_ns. > > > > How do you propose storing/updating the whitelist? sysctl? > > If it is a sysctl, would each whitelist member have a sysctl? > e.g.: kernel.ioctlwhitelist.may_push_chars = 1 > > Overall, I'm fine with this idea. That sounds reasonable. Or a securityfs file - I guess not everyone has securityfs, but if it were to become part of YAMA then that would work. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Fri, 2 Jun 2017 13:18:22 -0500 From: "Serge E. Hallyn" Message-ID: <20170602181822.GA5125@mail.hallyn.com> References: <20170531005633.484a2e14@alans-desktop> <20170601140812.583cf0a5@alans-desktop> <20170601222432.6f593538@lxorguk.ukuu.org.uk> <2d0ad49c-886e-1caf-771a-d251957f614c@nmatt.com> <20170602153647.GA2688@mail.hallyn.com> <20170602165732.GA3614@mail.hallyn.com> <3027e4fa-5dc2-a52f-8699-9974cb4d4b6b@nmatt.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3027e4fa-5dc2-a52f-8699-9974cb4d4b6b@nmatt.com> Subject: Re: [kernel-hardening] Re: [PATCH v7 2/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN To: Matt Brown Cc: "Serge E. Hallyn" , Alan Cox , Kees Cook , Casey Schaufler , Boris Lukashev , Greg KH , "kernel-hardening@lists.openwall.com" , linux-security-module , linux-kernel , linux-api@vger.kernel.org List-ID: Quoting Matt Brown (matt@nmatt.com): > On 6/2/17 12:57 PM, Serge E. Hallyn wrote: > > I'm not quite sure what you're asking for here. Let me offer a precise > > strawman design. I'm sure there are problems with it, it's just a starting > > point. > > > > system-wide whitelist (for now 'may_push_chars') is full by default. > > > > So is may_push_chars just an alias for TIOCSTI? Or are there some > potential whitelist members that would map to multiple ioctls? I'm seeing it as only TIOCSTI right now. > > By default, nothing changes - you can use those on your own tty, need > > CAP_SYS_ADMIN against init_user_ns otherwise. > > > > Introduce a new CAP_TTY_PRIVILEGED. > > > > I'm fine with this. > > > When may_push_chars is removed from the whitelist, you lose the ability > > to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED > > against the tty's user_ns. > > > > How do you propose storing/updating the whitelist? sysctl? > > If it is a sysctl, would each whitelist member have a sysctl? > e.g.: kernel.ioctlwhitelist.may_push_chars = 1 > > Overall, I'm fine with this idea. That sounds reasonable. Or a securityfs file - I guess not everyone has securityfs, but if it were to become part of YAMA then that would work. -serge