* Possibility of merge of disable icotl TIOCSTI patch
@ 2022-05-24 11:10 Simon Brand
2022-06-01 15:41 ` Yann Droneaud
0 siblings, 1 reply; 4+ messages in thread
From: Simon Brand @ 2022-05-24 11:10 UTC (permalink / raw)
To: kernelnewbies
Hi,
in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).
I would provide a patch which leaves the current behavior as default,
but TIOCSTI can be disabled via Kconfig or cmdline switch.
Is there any chance this will get merged in 2022, since past
attempts failed?
Escapes can be reproduced easiliy (on archlinux) via a python script:
```
import fcntl
import termios
with open("/dev/tty", "w") as fd:
for c in "id\n":
fcntl.ioctl(fd, termios.TIOCSTI, c)
```
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...
Best,
Simon
[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Possibility of merge of disable icotl TIOCSTI patch
2022-05-24 11:10 Possibility of merge of disable icotl TIOCSTI patch Simon Brand
@ 2022-06-01 15:41 ` Yann Droneaud
0 siblings, 0 replies; 4+ messages in thread
From: Yann Droneaud @ 2022-06-01 15:41 UTC (permalink / raw)
To: Simon Brand, kernelnewbies, linux-hardening, kernel-hardening
Hi,
Le 24/05/2022 à 13:10, Simon Brand a écrit :
> Hi,
>
> in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
> None of them are present in the current kernel.
> Since those tries there have been some security issues (sandbox
> escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
> runuser [4], su [5]).
>
> I would provide a patch which leaves the current behavior as default,
> but TIOCSTI can be disabled via Kconfig or cmdline switch.
> Is there any chance this will get merged in 2022, since past
> attempts failed?
>
> Escapes can be reproduced easiliy (on archlinux) via a python script:
> ```
> import fcntl
> import termios
> with open("/dev/tty", "w") as fd:
> for c in "id\n":
> fcntl.ioctl(fd, termios.TIOCSTI, c)
> ```
> Now run as root:
> # su user
> $ python3 /path/to/script.py ; exit
> uid=0(root) ...
>
> Best,
> Simon
>
>
> [0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
> [1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
> [2] https://github.com/flatpak/flatpak/issues/2782
> [3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
> [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
> [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
>
This is probably some topic for (kernel|linux)-hardening@ mailing lists.
Regards.
--
Yann Droneaud
OPTEYA
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Possibility of merge of disable icotl TIOCSTI patch
@ 2022-06-01 15:41 ` Yann Droneaud
0 siblings, 0 replies; 4+ messages in thread
From: Yann Droneaud @ 2022-06-01 15:41 UTC (permalink / raw)
To: Simon Brand, kernelnewbies, linux-hardening, kernel-hardening
Hi,
Le 24/05/2022 à 13:10, Simon Brand a écrit :
> Hi,
>
> in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
> None of them are present in the current kernel.
> Since those tries there have been some security issues (sandbox
> escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
> runuser [4], su [5]).
>
> I would provide a patch which leaves the current behavior as default,
> but TIOCSTI can be disabled via Kconfig or cmdline switch.
> Is there any chance this will get merged in 2022, since past
> attempts failed?
>
> Escapes can be reproduced easiliy (on archlinux) via a python script:
> ```
> import fcntl
> import termios
> with open("/dev/tty", "w") as fd:
> for c in "id\n":
> fcntl.ioctl(fd, termios.TIOCSTI, c)
> ```
> Now run as root:
> # su user
> $ python3 /path/to/script.py ; exit
> uid=0(root) ...
>
> Best,
> Simon
>
>
> [0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
> [1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
> [2] https://github.com/flatpak/flatpak/issues/2782
> [3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
> [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
> [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
>
This is probably some topic for (kernel|linux)-hardening@ mailing lists.
Regards.
--
Yann Droneaud
OPTEYA
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Possibility of merge of disable icotl TIOCSTI patch
2022-06-01 15:41 ` Yann Droneaud
(?)
@ 2022-06-01 19:03 ` Levente Polyak
-1 siblings, 0 replies; 4+ messages in thread
From: Levente Polyak @ 2022-06-01 19:03 UTC (permalink / raw)
To: Yann Droneaud, Simon Brand, kernelnewbies, linux-hardening,
kernel-hardening
On 6/1/22 17:41, Yann Droneaud wrote:
>> I would provide a patch which leaves the current behavior as default,
>> but TIOCSTI can be disabled via Kconfig or cmdline switch.
>> Is there any chance this will get merged in 2022, since past
>> attempts failed?
>>
Small side note:
A complete version of Matt's initial patch has lived on in
linux-hardened [0][1] with the `SECURITY_TIOCSTI_RESTRICT` Kconfig
(default no) and a `tiocsti_restrict` sysctl.
If a re-attempt is feasible, both patchs [0][1] could potentially be
re-proposed as is.
In linux-hardened we have an independent patch [2] which simply sets the
default value of `SECURITY_TIOCSTI_RESTRICT` to `yes`, but that most
likely is not desired.
cheers,
Levente
[0]
https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579cfc9ab1e0df
[1]
https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da39894f01166dc73
[2]
https://github.com/anthraxx/linux-hardened/commit/238551f7b6a138d6f9ba0d55fe70cf6ddc237f47
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-01 20:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-24 11:10 Possibility of merge of disable icotl TIOCSTI patch Simon Brand
2022-06-01 15:41 ` Yann Droneaud
2022-06-01 15:41 ` Yann Droneaud
2022-06-01 19:03 ` Levente Polyak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.