On Wed, May 03, 2017 at 12:32:07PM -0700, Kees Cook wrote: > On Mon, Apr 24, 2017 at 6:57 AM, Serge E. Hallyn <[email protected]> wrote: > > Quoting Matt Brown ([email protected]): > >> This patch adds struct user_namespace *owner_user_ns to the tty_struct. > >> Then it is set to current_user_ns() in the alloc_tty_struct function. > >> > >> This is done to facilitate capability checks against the original user > >> namespace that allocated the tty. > >> > >> E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) > >> > >> This combined with the use of user namespace's will allow hardening > >> protections to be built to mitigate container escapes that utilize TTY > >> ioctls such as TIOCSTI. > >> > >> See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 > >> > >> Signed-off-by: Matt Brown <[email protected]> > > > > Acked-by: Serge Hallyn <[email protected]> > > This Ack didn't end up in the v5, but I think it stands, yes? > > Greg, is the v5 okay to pull for you or would a v6 with Acks/Reviews > included be preferred?
v6 would be great, and we are dropping patch 2 from the series, right? I was expecting this to be resent. I'll start looking at new patches like this after 4.12-rc1 is out. thanks, greg k-h
