All of lore.kernel.org
 help / color / mirror / Atom feed
* Reconsider possibility to disable icotl TIOCSTI
@ 2022-10-14 19:51 Simon Brand
  2022-10-15  4:37 ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Simon Brand @ 2022-10-14 19:51 UTC (permalink / raw)
  To: linux-hardening

Good day,

please reconsider to add a possibility to disable icotl TIOCSTI.
In the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).

I ask to merge the patches from linux-hardening [6, 7] so users can
opt out of this behavior. These patches provide the
`SECURITY_TIOCSTI_RESTRICT` Kconfig (default no) and a
`tiocsti_restrict` sysctl.

Escapes can be reproduced easiliy (on archlinux) via a python script:
```
import fcntl
import termios
with open("/dev/tty", "w") as fd:
    for c in "id\n":
        fcntl.ioctl(fd, termios.TIOCSTI, c)
```
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...

I asked it before on kernelnewbies mailing list. [8]

Best and thank you,
Simon

[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
[6] https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579
[7] https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da3989
[8] https://www.spinics.net/lists/newbies/msg64019.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Reconsider possibility to disable icotl TIOCSTI
  2022-10-14 19:51 Reconsider possibility to disable icotl TIOCSTI Simon Brand
@ 2022-10-15  4:37 ` Kees Cook
  2022-10-15  5:42   ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2022-10-15  4:37 UTC (permalink / raw)
  To: Simon Brand; +Cc: linux-hardening

On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> please reconsider to add a possibility to disable icotl TIOCSTI.

Yeah, please, let's. I always wanted to, and its use case is very
narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
to remove it from Linux in 2017. I've sent this now:

https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Reconsider possibility to disable icotl TIOCSTI
  2022-10-15  4:37 ` Kees Cook
@ 2022-10-15  5:42   ` Greg KH
  2022-10-15  6:45     ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2022-10-15  5:42 UTC (permalink / raw)
  To: Kees Cook; +Cc: Simon Brand, linux-hardening

On Fri, Oct 14, 2022 at 09:37:04PM -0700, Kees Cook wrote:
> On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> > please reconsider to add a possibility to disable icotl TIOCSTI.
> 
> Yeah, please, let's. I always wanted to, and its use case is very
> narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
> to remove it from Linux in 2017. I've sent this now:
> 
> https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/

Looks good to me, I'll queue it up once -rc1 is out.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Reconsider possibility to disable icotl TIOCSTI
  2022-10-15  5:42   ` Greg KH
@ 2022-10-15  6:45     ` Kees Cook
  0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-10-15  6:45 UTC (permalink / raw)
  To: Greg KH; +Cc: Simon Brand, linux-hardening

On Sat, Oct 15, 2022 at 07:42:28AM +0200, Greg KH wrote:
> On Fri, Oct 14, 2022 at 09:37:04PM -0700, Kees Cook wrote:
> > On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> > > please reconsider to add a possibility to disable icotl TIOCSTI.
> > 
> > Yeah, please, let's. I always wanted to, and its use case is very
> > narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
> > to remove it from Linux in 2017. I've sent this now:
> > 
> > https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/
> 
> Looks good to me, I'll queue it up once -rc1 is out.

Thanks! I sent a v2 to fix two small errors.

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-10-15  6:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-14 19:51 Reconsider possibility to disable icotl TIOCSTI Simon Brand
2022-10-15  4:37 ` Kees Cook
2022-10-15  5:42   ` Greg KH
2022-10-15  6:45     ` Kees Cook

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.