Hi,
Le 24/05/2022 à 13:10, Simon Brand a écrit :
Hi,
in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).
I would provide a patch which leaves the current behavior as default,
but TIOCSTI can be disabled via Kconfig or cmdline switch.
Is there any chance this will get merged in 2022, since past
attempts failed?
Escapes can be reproduced easiliy (on archlinux) via a python script:
```
import fcntl
import termios
with open("/dev/tty", "w") as fd:
for c in "id\n":
fcntl.ioctl(fd, termios.TIOCSTI, c)
```
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...
Best,
Simon
[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@xxxxxxxxxxxxxx/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@xxxxxxxxxxxxxxx/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
This is probably some topic for (kernel|linux)-hardening@ mailing lists.
Regards.
--
Yann Droneaud
OPTEYA
