lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEjxPJ6v12nLFx-x4-=esuPMp7L8UBvTzoj1kkTPcD2mDKKW8w@mail.gmail.com>
Date: Mon, 23 Jun 2025 08:38:52 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: xandfury@...il.com
Cc: Shuah Khan <shuah@...nel.org>, Nathan Chancellor <nathan@...nel.org>, 
	Nick Desaulniers <nick.desaulniers+lkml@...il.com>, Bill Wendling <morbo@...gle.com>, 
	Justin Stitt <justinstitt@...gle.com>, Paul Moore <paul@...l-moore.com>, 
	Ondrej Mosnacek <omosnace@...hat.com>, linux-kernel@...r.kernel.org, 
	linux-kselftest@...r.kernel.org, llvm@...ts.linux.dev, 
	selinux@...r.kernel.org, kees@...nel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH 2/2] selinux: add capability checks for TIOCSTI ioctl

On Sun, Jun 22, 2025 at 9:41 PM Abhinav Saxena via B4 Relay
<devnull+xandfury.gmail.com@...nel.org> wrote:
>
> From: Abhinav Saxena <xandfury@...il.com>
>
> The TIOCSTI ioctl currently only checks the current process's
> credentials, creating a TOCTOU vulnerability where an unprivileged
> process can open a TTY fd and pass it to a privileged process via
> SCM_RIGHTS.
>
> Fix by requiring BOTH the file opener (file->f_cred) AND the current
> process to have CAP_SYS_ADMIN. This prevents privilege escalation
> while ensuring legitimate use cases continue to work.
>
> Link: https://github.com/KSPP/linux/issues/156
>
> Signed-off-by: Abhinav Saxena <xandfury@...il.com>
> ---
>  security/selinux/hooks.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 595ceb314aeb..a628551873ab 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3847,6 +3847,12 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
>                                             CAP_OPT_NONE, true);
>                 break;
>
> +       case TIOCSTI:
> +               if (!file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN) ||
> +                   !capable(CAP_SYS_ADMIN))
> +                       error = -EPERM;
> +               break;
> +

So, aside from what I said previously, this also will break any
existing policies currently controlling TIOCSTI
via the selinux ioctl checking in the default case, so at the very
least, this would need to be gated by a new
SELinux policy capability for compatibility purposes. But I'm still
unconvinced that this is the right approach.

>         case FIOCLEX:
>         case FIONCLEX:
>                 if (!selinux_policycap_ioctl_skip_cloexec())
>
> --
> 2.43.0
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ