Hi, Le 24/05/2022 à 13:10, Simon Brand a écrit :
Hi, in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1] None of them are present in the current kernel. Since those tries there have been some security issues (sandbox escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3], runuser [4], su [5]). I would provide a patch which leaves the current behavior as default, but TIOCSTI can be disabled via Kconfig or cmdline switch. Is there any chance this will get merged in 2022, since past attempts failed? Escapes can be reproduced easiliy (on archlinux) via a python script: ``` import fcntl import termios with open("/dev/tty", "w") as fd: for c in "id\n": fcntl.ioctl(fd, termios.TIOCSTI, c) ``` Now run as root: # su user $ python3 /path/to/script.py ; exit uid=0(root) ... Best, Simon [0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@xxxxxxxxxxxxxx/T/ [1] https://lkml.kernel.org/lkml/20170420174100.GA16822@xxxxxxxxxxxxxxx/T/ [2] https://github.com/flatpak/flatpak/issues/2782 [3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
This is probably some topic for (kernel|linux)-hardening@ mailing lists. Regards. -- Yann Droneaud OPTEYA _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies