linux-hardening.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Simon Brand <simon.brand@postadigitale.de>
To: linux-hardening@vger.kernel.org
Subject: Reconsider possibility to disable icotl TIOCSTI
Date: Fri, 14 Oct 2022 19:51:11 +0000	[thread overview]
Message-ID: <Y0m9l52AKmw6Yxi1@hostpad> (raw)

Good day,

please reconsider to add a possibility to disable icotl TIOCSTI.
In the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).

I ask to merge the patches from linux-hardening [6, 7] so users can
opt out of this behavior. These patches provide the
`SECURITY_TIOCSTI_RESTRICT` Kconfig (default no) and a
`tiocsti_restrict` sysctl.

Escapes can be reproduced easiliy (on archlinux) via a python script:
```
import fcntl
import termios
with open("/dev/tty", "w") as fd:
    for c in "id\n":
        fcntl.ioctl(fd, termios.TIOCSTI, c)
```
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...

I asked it before on kernelnewbies mailing list. [8]

Best and thank you,
Simon

[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
[6] https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579
[7] https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da3989
[8] https://www.spinics.net/lists/newbies/msg64019.html

             reply	other threads:[~2022-10-14 20:00 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-14 19:51 Simon Brand [this message]
2022-10-15  4:37 ` Reconsider possibility to disable icotl TIOCSTI Kees Cook
2022-10-15  5:42   ` Greg KH
2022-10-15  6:45     ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y0m9l52AKmw6Yxi1@hostpad \
    --to=simon.brand@postadigitale.de \
    --cc=linux-hardening@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).