Re: Possibility of merge of disable icotl TIOCSTI patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Le 24/05/2022 à 13:10, Simon Brand a écrit :

in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).

I would provide a patch which leaves the current behavior as default,
but TIOCSTI can be disabled via Kconfig or cmdline switch.
Is there any chance this will get merged in 2022, since past
attempts failed?

Escapes can be reproduced easiliy (on archlinux) via a python script:
import fcntl
import termios
with open("/dev/tty", "w") as fd:
     for c in "id\n":
         fcntl.ioctl(fd, termios.TIOCSTI, c)
Now run as root:
# su user
$ python3 /path/to/ ; exit
uid=0(root) ...



This is probably some topic for (kernel|linux)-hardening@ mailing lists.



Yann Droneaud


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux