Reconsider possibility to disable icotl TIOCSTI

Reconsider possibility to disable icotl TIOCSTI

[Simon Brand]

Good day,

please reconsider to add a possibility to disable icotl TIOCSTI.
In the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).

I ask to merge the patches from linux-hardening [6, 7] so users can
opt out of this behavior. These patches provide the
`SECURITY_TIOCSTI_RESTRICT` Kconfig (default no) and a
`tiocsti_restrict` sysctl.

Escapes can be reproduced easiliy (on archlinux) via a python script:
```
import fcntl
import termios
with open("/dev/tty", "w") as fd:
    for c in "id\n":
        fcntl.ioctl(fd, termios.TIOCSTI, c)
```
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...

I asked it before on kernelnewbies mailing list. [8]

Best and thank you,
Simon

[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
[6] https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579
[7] https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da3989
[8] https://www.spinics.net/lists/newbies/msg64019.html

Re: Reconsider possibility to disable icotl TIOCSTI

[Kees Cook]

On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> please reconsider to add a possibility to disable icotl TIOCSTI.

Yeah, please, let's. I always wanted to, and its use case is very
narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
to remove it from Linux in 2017. I've sent this now:

https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/

-- 
Kees Cook

Re: Reconsider possibility to disable icotl TIOCSTI

[Greg KH]

On Fri, Oct 14, 2022 at 09:37:04PM -0700, Kees Cook wrote:
> On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> > please reconsider to add a possibility to disable icotl TIOCSTI.
> 
> Yeah, please, let's. I always wanted to, and its use case is very
> narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
> to remove it from Linux in 2017. I've sent this now:
> 
> https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/

Looks good to me, I'll queue it up once -rc1 is out.

greg k-h

Re: Reconsider possibility to disable icotl TIOCSTI

[Kees Cook]

On Sat, Oct 15, 2022 at 07:42:28AM +0200, Greg KH wrote:
> On Fri, Oct 14, 2022 at 09:37:04PM -0700, Kees Cook wrote:
> > On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> > > please reconsider to add a possibility to disable icotl TIOCSTI.
> > 
> > Yeah, please, let's. I always wanted to, and its use case is very
> > narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
> > to remove it from Linux in 2017. I've sent this now:
> > 
> > https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/
> 
> Looks good to me, I'll queue it up once -rc1 is out.

Thanks! I sent a v2 to fix two small errors.

-- 
Kees Cook