* Reconsider possibility to disable icotl TIOCSTI
@ 2022-10-14 19:51 Simon Brand
2022-10-15 4:37 ` Kees Cook
0 siblings, 1 reply; 4+ messages in thread
From: Simon Brand @ 2022-10-14 19:51 UTC (permalink / raw)
To: linux-hardening
Good day,
please reconsider to add a possibility to disable icotl TIOCSTI.
In the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).
I ask to merge the patches from linux-hardening [6, 7] so users can
opt out of this behavior. These patches provide the
`SECURITY_TIOCSTI_RESTRICT` Kconfig (default no) and a
`tiocsti_restrict` sysctl.
Escapes can be reproduced easiliy (on archlinux) via a python script:
```
import fcntl
import termios
with open("/dev/tty", "w") as fd:
for c in "id\n":
fcntl.ioctl(fd, termios.TIOCSTI, c)
```
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...
I asked it before on kernelnewbies mailing list. [8]
Best and thank you,
Simon
[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
[6] https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579
[7] https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da3989
[8] https://www.spinics.net/lists/newbies/msg64019.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Reconsider possibility to disable icotl TIOCSTI
2022-10-14 19:51 Reconsider possibility to disable icotl TIOCSTI Simon Brand
@ 2022-10-15 4:37 ` Kees Cook
2022-10-15 5:42 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2022-10-15 4:37 UTC (permalink / raw)
To: Simon Brand; +Cc: linux-hardening
On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> please reconsider to add a possibility to disable icotl TIOCSTI.
Yeah, please, let's. I always wanted to, and its use case is very
narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
to remove it from Linux in 2017. I've sent this now:
https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Reconsider possibility to disable icotl TIOCSTI
2022-10-15 4:37 ` Kees Cook
@ 2022-10-15 5:42 ` Greg KH
2022-10-15 6:45 ` Kees Cook
0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2022-10-15 5:42 UTC (permalink / raw)
To: Kees Cook; +Cc: Simon Brand, linux-hardening
On Fri, Oct 14, 2022 at 09:37:04PM -0700, Kees Cook wrote:
> On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> > please reconsider to add a possibility to disable icotl TIOCSTI.
>
> Yeah, please, let's. I always wanted to, and its use case is very
> narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
> to remove it from Linux in 2017. I've sent this now:
>
> https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/
Looks good to me, I'll queue it up once -rc1 is out.
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Reconsider possibility to disable icotl TIOCSTI
2022-10-15 5:42 ` Greg KH
@ 2022-10-15 6:45 ` Kees Cook
0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-10-15 6:45 UTC (permalink / raw)
To: Greg KH; +Cc: Simon Brand, linux-hardening
On Sat, Oct 15, 2022 at 07:42:28AM +0200, Greg KH wrote:
> On Fri, Oct 14, 2022 at 09:37:04PM -0700, Kees Cook wrote:
> > On Fri, Oct 14, 2022 at 07:51:11PM +0000, Simon Brand wrote:
> > > please reconsider to add a possibility to disable icotl TIOCSTI.
> >
> > Yeah, please, let's. I always wanted to, and its use case is very
> > narrow. Even OpenBSD has removed it, somewhat motivated by the attempt
> > to remove it from Linux in 2017. I've sent this now:
> >
> > https://lore.kernel.org/linux-hardening/20221015041626.1467372-2-keescook@chromium.org/
>
> Looks good to me, I'll queue it up once -rc1 is out.
Thanks! I sent a v2 to fix two small errors.
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-10-15 6:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-14 19:51 Reconsider possibility to disable icotl TIOCSTI Simon Brand
2022-10-15 4:37 ` Kees Cook
2022-10-15 5:42 ` Greg KH
2022-10-15 6:45 ` Kees Cook
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.