Re: Possibility of merge of disable icotl TIOCSTI patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Le 24/05/2022 à 13:10, Simon Brand a écrit :
Hi,

in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).

I would provide a patch which leaves the current behavior as default,
but TIOCSTI can be disabled via Kconfig or cmdline switch.
Is there any chance this will get merged in 2022, since past
attempts failed?

Escapes can be reproduced easiliy (on archlinux) via a python script:
```
import fcntl
import termios
with open("/dev/tty", "w") as fd:
     for c in "id\n":
         fcntl.ioctl(fd, termios.TIOCSTI, c)
```
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...

Best,
Simon


[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@xxxxxxxxxxxxxx/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@xxxxxxxxxxxxxxx/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843


This is probably some topic for (kernel|linux)-hardening@ mailing lists.


Regards.

--

Yann Droneaud

OPTEYA



_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies




[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]

  Powered by Linux