On Fri, Sep 15, 2023 at 03:32:29PM +0200, Günther Noack wrote: > On Tue, Aug 29, 2023 at 03:00:19PM +0200, Günther Noack wrote: > > Let me update the list of known usages then: The TIOCL_SETSEL, TIOCL_PASTESEL > > and TIOCL_SELLOADLUT mentions found on codesearch.debian.net are: > > > > (1) Actual invocations: > > > > * consolation: > > "consolation" is a gpm clone, which also runs as root. > > (I have not had the chance to test this one yet.) > > I have tested the consolation program with a kernel that has the patch, and it > works as expected -- you can copy and paste on the console. > > > > * BRLTTY: > > Uses TIOCL_SETSEL as a means to highlight portions of the screen. > > The TIOCSTI patch made BRLTTY work by requiring CAP_SYS_ADMIN, > > so we know that BRLTTY has that capability (it runs as root and > > does not drop it). > > > > (2) Some irrelevant matches: > > > > * snapd: has a unit test mentioning it, to test their seccomp filters > > * libexplain: mentions it, but does not call it (it's a library for > > human-readably decoding system calls) > > * manpages: documentation > > > > > > *Outside* of codesearch.debian.org: > > > > * gpm: > > I've verified that this works with the patch. > > (To my surprise, Debian does not index this project's code.) > > (As Samuel pointed out, I was wrong there - Debian does index it, but it does > not use the #defines from the headers... who would have thought...) > > > > FWIW, I also briefly looked into "jamd" (https://jamd.sourceforge.net/), which > > was mentioned as similar in the manpage for "consolation", but that software > > does not use any ioctls at all. > > > > So overall, it still seems like nothing should break. 👍 > > Summarizing the above - the only three programs which are known to use the > affected TIOCLINUX subcommands are: > > * consolation (tested) > * gpm (tested) > * BRLTTY (known to work with TIOCSTI, where the same CAP_SYS_ADMIN requirement > is imposed for a while now) > > I think that this is a safe change for the existing usages and that we have done > the due diligence required to turn off these features. > > Greg, could you please have another look? Can you spin a v4 with all these details collected into the commit log? That should be sufficient information for Greg, I would think. Thanks for checking each of these! -Kees -- Kees Cook