* Re: Possibility of merge of disable icotl TIOCSTI patch
[not found] <Yoy9IqTvch7lBwdT@hostpad>
@ 2022-06-01 15:41 ` Yann Droneaud
2022-06-01 19:03 ` Levente Polyak
0 siblings, 1 reply; 2+ messages in thread
From: Yann Droneaud @ 2022-06-01 15:41 UTC (permalink / raw)
To: Simon Brand, kernelnewbies, linux-hardening, kernel-hardening
Hi,
Le 24/05/2022 à 13:10, Simon Brand a écrit :
> Hi,
>
> in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
> None of them are present in the current kernel.
> Since those tries there have been some security issues (sandbox
> escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
> runuser [4], su [5]).
>
> I would provide a patch which leaves the current behavior as default,
> but TIOCSTI can be disabled via Kconfig or cmdline switch.
> Is there any chance this will get merged in 2022, since past
> attempts failed?
>
> Escapes can be reproduced easiliy (on archlinux) via a python script:
> ```
> import fcntl
> import termios
> with open("/dev/tty", "w") as fd:
> for c in "id\n":
> fcntl.ioctl(fd, termios.TIOCSTI, c)
> ```
> Now run as root:
> # su user
> $ python3 /path/to/script.py ; exit
> uid=0(root) ...
>
> Best,
> Simon
>
>
> [0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
> [1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
> [2] https://github.com/flatpak/flatpak/issues/2782
> [3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
> [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
> [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
>
This is probably some topic for (kernel|linux)-hardening@ mailing lists.
Regards.
--
Yann Droneaud
OPTEYA
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Possibility of merge of disable icotl TIOCSTI patch
2022-06-01 15:41 ` Possibility of merge of disable icotl TIOCSTI patch Yann Droneaud
@ 2022-06-01 19:03 ` Levente Polyak
0 siblings, 0 replies; 2+ messages in thread
From: Levente Polyak @ 2022-06-01 19:03 UTC (permalink / raw)
To: Yann Droneaud, Simon Brand, kernelnewbies, linux-hardening,
kernel-hardening
On 6/1/22 17:41, Yann Droneaud wrote:
>> I would provide a patch which leaves the current behavior as default,
>> but TIOCSTI can be disabled via Kconfig or cmdline switch.
>> Is there any chance this will get merged in 2022, since past
>> attempts failed?
>>
Small side note:
A complete version of Matt's initial patch has lived on in
linux-hardened [0][1] with the `SECURITY_TIOCSTI_RESTRICT` Kconfig
(default no) and a `tiocsti_restrict` sysctl.
If a re-attempt is feasible, both patchs [0][1] could potentially be
re-proposed as is.
In linux-hardened we have an independent patch [2] which simply sets the
default value of `SECURITY_TIOCSTI_RESTRICT` to `yes`, but that most
likely is not desired.
cheers,
Levente
[0]
https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579cfc9ab1e0df
[1]
https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da39894f01166dc73
[2]
https://github.com/anthraxx/linux-hardened/commit/238551f7b6a138d6f9ba0d55fe70cf6ddc237f47
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-06-01 20:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <Yoy9IqTvch7lBwdT@hostpad>
2022-06-01 15:41 ` Possibility of merge of disable icotl TIOCSTI patch Yann Droneaud
2022-06-01 19:03 ` Levente Polyak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).