On 09/25/2016 09:25 AM, Paul Moore wrote: > On Sat, Sep 24, 2016 at 5:57 AM, <up201407890@xxxxxxxxxxxxxxxxxxx> wrote: >> Quoting "Stephen Smalley" <sds@xxxxxxxxxxxxx>: >>> Thank you for the bug report. This bug is now fixed in upstream commit >>> acca96a135a4d2a028ba9b636886af99c0915379. >> >> Cool, thanks. Though it'll lose job control, that's why most 'su-like' >> programs refuse to patch this and are still vulnerable. > > I think we should wait and and see if people complain about the loss > of job control; I'd rather see us fix the problem with TIOCSTI. > >> Anyways, the same happens with the 'runcon' utility: > > I don't think we need to fix this for runcon, as it isn't as > sandboxing tool like sandbox, and the loss of job control would likely > be much more noticeable for runcon. FWIW, this issue can be addressed through policy without changes to runcon in one of two ways: 1) Policy can prevent the new context from using the controlling tty at all, in which case the kernel will reset the controlling tty automatically (flush_unauthorized_files() in security/selinux/hooks.c), 2) Policy can allow the new context to read/write the tty but prevent use of TIOCSTI in particular via the ioctl whitelisting support introduced in Linux 4.3 and libsepol/checkpolicy 2.5. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
