lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Oct 2022 19:51:11 +0000 From: Simon Brand <simon.brand@...tadigitale.de> To: linux-hardening@...r.kernel.org Subject: Reconsider possibility to disable icotl TIOCSTI Good day, please reconsider to add a possibility to disable icotl TIOCSTI. In the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1] None of them are present in the current kernel. Since those tries there have been some security issues (sandbox escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3], runuser [4], su [5]). I ask to merge the patches from linux-hardening [6, 7] so users can opt out of this behavior. These patches provide the `SECURITY_TIOCSTI_RESTRICT` Kconfig (default no) and a `tiocsti_restrict` sysctl. Escapes can be reproduced easiliy (on archlinux) via a python script: ``` import fcntl import termios with open("/dev/tty", "w") as fd: for c in "id\n": fcntl.ioctl(fd, termios.TIOCSTI, c) ``` Now run as root: # su user $ python3 /path/to/script.py ; exit uid=0(root) ... I asked it before on kernelnewbies mailing list. [8] Best and thank you, Simon [0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/ [1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/ [2] https://github.com/flatpak/flatpak/issues/2782 [3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843 [6] https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579 [7] https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da3989 [8] https://www.spinics.net/lists/newbies/msg64019.html
Powered by blists - more mailing lists