Possibility of merge of disable icotl TIOCSTI patch

Simon Brand simon.brand at postadigitale.de
Tue May 24 07:10:26 EDT 2022


in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).

I would provide a patch which leaves the current behavior as default,
but TIOCSTI can be disabled via Kconfig or cmdline switch.
Is there any chance this will get merged in 2022, since past
attempts failed?

Escapes can be reproduced easiliy (on archlinux) via a python script:
import fcntl
import termios
with open("/dev/tty", "w") as fd:
    for c in "id\n":
        fcntl.ioctl(fd, termios.TIOCSTI, c)
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...


[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843

More information about the Kernelnewbies mailing list