From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752338AbdEEXVZ (ORCPT ); Fri, 5 May 2017 19:21:25 -0400 Received: from relay8-d.mail.gandi.net ([217.70.183.201]:40647 "EHLO relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751161AbdEEXVX (ORCPT ); Fri, 5 May 2017 19:21:23 -0400 X-Originating-IP: 72.66.113.207 From: Matt Brown To: serge@hallyn.com, gregkh@linuxfoundation.org, jslaby@suse.com, akpm@linux-foundation.org, jannh@google.com, keescook@chromium.org Cc: jmorris@namei.org, kernel-hardening@lists.openwall.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v6 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN Date: Fri, 5 May 2017 19:20:16 -0400 Message-Id: <20170505232018.28846-1-matt@nmatt.com> X-Mailer: git-send-email 2.10.2 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patchset introduces the tiocsti_restrict sysctl, whose default is controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. This patch was inspired from GRKERNSEC_HARDEN_TTY. This patch would have prevented https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following conditions: * non-privileged container * container run inside new user namespace Possible effects on userland: There could be a few user programs that would be effected by this change. See: notable programs are: agetty, csh, xemacs and tcsh However, I still believe that this change is worth it given that the Kconfig defaults to n. This will be a feature that is turned on for the same reason that people activate it when using grsecurity. Users of this opt-in feature will realize that they are choosing security over some OS features like unprivileged TIOCSTI ioctls, as should be clear in the Kconfig help message. Threat Model/Patch Rational: >>From grsecurity's config for GRKERNSEC_HARDEN_TTY. | There are very few legitimate uses for this functionality and it | has made vulnerabilities in several 'su'-like programs possible in | the past. Even without these vulnerabilities, it provides an | attacker with an easy mechanism to move laterally among other | processes within the same user's compromised session. So if one process within a tty session becomes compromised it can follow that additional processes, that are thought to be in different security boundaries, can be compromised as a result. When using a program like su or sudo, these additional processes could be in a tty session where TTY file descriptors are indeed shared over privilege boundaries. This is also an excellent writeup about the issue: When user namespaces are in use, the check for the capability CAP_SYS_ADMIN is done against the user namespace that originally opened the tty. # Changes since v5: * added acks/reviews # Changes since v4: * fixed typo # Changes since v3: * use get_user_ns and put_user_ns to take and drop references to the owner user namespace because CONFIG_USER_NS is an option # Changes since v2: * take/drop reference to user namespace on tty struct alloc/free to prevent use-after-free. # Changes since v1: * added owner_user_ns to tty_struct to enable capability checks against the namespace that created the tty. * rewording in different places to make patchset purpose clear * Added Documentation