Re: [PATCH v3 0/1] Restrict access to TIOCLINUX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 15, 2023 at 03:32:29PM +0200, Günther Noack wrote:
> On Tue, Aug 29, 2023 at 03:00:19PM +0200, Günther Noack wrote:
> > Let me update the list of known usages then: The TIOCL_SETSEL, TIOCL_PASTESEL
> > and TIOCL_SELLOADLUT mentions found on codesearch.debian.net are:
> > 
> > (1) Actual invocations:
> > 
> >  * consolation:
> >      "consolation" is a gpm clone, which also runs as root.
> >      (I have not had the chance to test this one yet.)
> 
> I have tested the consolation program with a kernel that has the patch, and it
> works as expected -- you can copy and paste on the console.
> 
> 
> >  * BRLTTY:
> >      Uses TIOCL_SETSEL as a means to highlight portions of the screen.
> >      The TIOCSTI patch made BRLTTY work by requiring CAP_SYS_ADMIN,
> >      so we know that BRLTTY has that capability (it runs as root and
> >      does not drop it).
> > 
> > (2) Some irrelevant matches:
> > 
> >  * snapd: has a unit test mentioning it, to test their seccomp filters
> >  * libexplain: mentions it, but does not call it (it's a library for
> >    human-readably decoding system calls)
> >  * manpages: documentation
> > 
> > 
> > *Outside* of codesearch.debian.org:
> > 
> >  * gpm:
> >      I've verified that this works with the patch.
> >      (To my surprise, Debian does not index this project's code.)
> 
> (As Samuel pointed out, I was wrong there - Debian does index it, but it does
> not use the #defines from the headers... who would have thought...)
> 
> 
> > FWIW, I also briefly looked into "jamd" (https://jamd.sourceforge.net/), which
> > was mentioned as similar in the manpage for "consolation", but that software
> > does not use any ioctls at all.
> > 
> > So overall, it still seems like nothing should break. 👍
> 
> Summarizing the above - the only three programs which are known to use the
> affected TIOCLINUX subcommands are:
> 
> * consolation (tested)
> * gpm (tested)
> * BRLTTY (known to work with TIOCSTI, where the same CAP_SYS_ADMIN requirement
>   is imposed for a while now)
> 
> I think that this is a safe change for the existing usages and that we have done
> the due diligence required to turn off these features.
> 
> Greg, could you please have another look?

Can you spin a v4 with all these details collected into the commit log?
That should be sufficient information for Greg, I would think.

Thanks for checking each of these!

-Kees

-- 
Kees Cook



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux