[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20170417060706.28674-1-matt@nmatt.com>
Date: Mon, 17 Apr 2017 02:07:02 -0400
From: Matt Brown <matt@...tt.com>
To: jmorris@...ei.org, gregkh@...uxfoundation.org,
akpm@...ux-foundation.org
Cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com
Subject: Patchset to Restrict Unprivileged TIOCSTI TTY Command Injection
The following patchset reproduces GRKERNSEC_HARDEN_TTY functionality from the grsecurity project in-kernel. The purpose of this feature is to restrict unprivileged users from injecting commands into other processes in the same tty session by using the TIOCSTI ioctl.
It creates the kernel config SECURITY_TIOCSTI_RESTRICT and the sysctl kernel.tiocsti_restrict to control this feature. I modeled most of the code style and naming conventions off of SECURITY_DMESG_RESTRICT.
drivers/tty/tty_io.c | 4 ++++
include/linux/tty.h | 2 ++
kernel/sysctl.c | 12 ++++++++++++
security/Kconfig | 12 ++++++++++++
4 files changed, 30 insertions(+)
[PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config
[PATCH 2/4] add tiocsti_restrict variable
[PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl
[PATCH 4/4] added kernel.tiocsti_restrict sysctl
Powered by blists - more mailing lists