Possibility of merge of disable icotl TIOCSTI patch

Yann Droneaud ydroneaud at opteya.com
Wed Jun 1 11:41:47 EDT 2022


Hi,

Le 24/05/2022 à 13:10, Simon Brand a écrit :
> Hi,
>
> in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
> None of them are present in the current kernel.
> Since those tries there have been some security issues (sandbox
> escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
> runuser [4], su [5]).
>
> I would provide a patch which leaves the current behavior as default,
> but TIOCSTI can be disabled via Kconfig or cmdline switch.
> Is there any chance this will get merged in 2022, since past
> attempts failed?
>
> Escapes can be reproduced easiliy (on archlinux) via a python script:
> ```
> import fcntl
> import termios
> with open("/dev/tty", "w") as fd:
>      for c in "id\n":
>          fcntl.ioctl(fd, termios.TIOCSTI, c)
> ```
> Now run as root:
> # su user
> $ python3 /path/to/script.py ; exit
> uid=0(root) ...
>
> Best,
> Simon
>
>
> [0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
> [1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
> [2] https://github.com/flatpak/flatpak/issues/2782
> [3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
> [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
> [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
>

This is probably some topic for (kernel|linux)-hardening@ mailing lists.


Regards.

-- 

Yann Droneaud

OPTEYA





More information about the Kernelnewbies mailing list