lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250622-toicsti-bug-v1-0-f374373b04b2@gmail.com>
Date: Sun, 22 Jun 2025 19:41:06 -0600
From: Abhinav Saxena via B4 Relay <devnull+xandfury.gmail.com@...nel.org>
To: Shuah Khan <shuah@...nel.org>, Nathan Chancellor <nathan@...nel.org>, 
 Nick Desaulniers <nick.desaulniers+lkml@...il.com>, 
 Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, 
 Paul Moore <paul@...l-moore.com>, 
 Stephen Smalley <stephen.smalley.work@...il.com>, 
 Ondrej Mosnacek <omosnace@...hat.com>
Cc: linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, 
 llvm@...ts.linux.dev, selinux@...r.kernel.org, 
 Abhinav Saxena <xandfury@...il.com>, kees@...nel.org, 
 linux-hardening@...r.kernel.org
Subject: [PATCH 0/2] Possible TTY privilege escalation in TIOCSTI ioctl

This patch series was initially sent to security@k.o; resending it in
public. I might follow-up with a tests series which addresses similar 
issues with TIOCLINUX.

===============

The TIOCSTI ioctl uses capable(CAP_SYS_ADMIN) for access control, which 
checks the current process's credentials. However, it doesn't validate 
against the file opener's credentials stored in file->f_cred.

This creates a potential security issue where an unprivileged process 
can open a TTY fd and pass it to a privileged process via SCM_RIGHTS. 
The privileged process may then inadvertently grant access based on its 
elevated privileges rather than the original opener's credentials.

Background
==========

As noted in previous discussion, while CONFIG_LEGACY_TIOCSTI can restrict 
TIOCSTI usage, it is enabled by default in most distributions. Even when 
CONFIG_LEGACY_TIOCSTI=n, processes with CAP_SYS_ADMIN can still use TIOCSTI 
according to the Kconfig documentation.

Additionally, CONFIG_LEGACY_TIOCSTI controls the default value for the 
dev.tty.legacy_tiocsti sysctl, which remains runtime-configurable. This 
means the described attack vector could work on systems even with 
CONFIG_LEGACY_TIOCSTI=n, particularly on Ubuntu 24.04 where it's "restricted" 
but still functional.

Solution Approach
=================

This series addresses the issue through SELinux LSM integration rather 
than modifying core TTY credential checking to avoid potential compatibility 
issues with existing userspace.

The enhancement adds proper current task and file credential capability 
validation in SELinux's selinux_file_ioctl() hook specifically for 
TIOCSTI operations.

Testing
=======

All patches have been validated using:
- scripts/checkpatch.pl --strict (0 errors, 0 warnings)
- Functional testing on kernel v6.16-rc2
- File descriptor passing security test scenarios
- SELinux policy enforcement testing

The fd_passing_security test demonstrates the security concern.
To verify, disable legacy TIOCSTI and run the test:

$ echo "0" | sudo tee /proc/sys/dev/tty/legacy_tiocsti
$ sudo ./tools/testing/selftests/tty/tty_tiocsti_test -t fd_passing_security

Patch Overview
==============

PATCH 1/2: selftests/tty: add TIOCSTI test suite
Comprehensive test suite demonstrating the issue and fix validation

PATCH 2/2: selinux: add capability checks for TIOCSTI ioctl
Core security enhancement via SELinux LSM hook

References
==========

- tty_ioctl(4) - documents TIOCSTI ioctl and capability requirements
- commit 83efeeeb3d04 ("tty: Allow TIOCSTI to be disabled")
- Documentation/security/credentials.rst
- https://github.com/KSPP/linux/issues/156
- https://lore.kernel.org/linux-hardening/Y0m9l52AKmw6Yxi1@hostpad/
- drivers/tty/Kconfig

Configuration References:
[1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tty/Kconfig#n149
[2] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tty/Kconfig#n162
[3] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tty/Kconfig#n188

To: Shuah Khan <shuah@...nel.org>
To: Nathan Chancellor <nathan@...nel.org>
To: Nick Desaulniers <nick.desaulniers+lkml@...il.com>
To: Bill Wendling <morbo@...gle.com>
To: Justin Stitt <justinstitt@...gle.com>
To: Paul Moore <paul@...l-moore.com>
To: Stephen Smalley <stephen.smalley.work@...il.com>
To: Ondrej Mosnacek <omosnace@...hat.com>
Cc: linux-kernel@...r.kernel.org
Cc: linux-kselftest@...r.kernel.org
Cc: llvm@...ts.linux.dev
Cc: selinux@...r.kernel.org

Signed-off-by: Abhinav Saxena <xandfury@...il.com>
---
Abhinav Saxena (2):
      selftests/tty: add TIOCSTI test suite
      selinux: add capability checks for TIOCSTI ioctl

 security/selinux/hooks.c                       |   6 +
 tools/testing/selftests/tty/Makefile           |   6 +-
 tools/testing/selftests/tty/config             |   1 +
 tools/testing/selftests/tty/tty_tiocsti_test.c | 421 +++++++++++++++++++++++++
 4 files changed, 433 insertions(+), 1 deletion(-)
---
base-commit: 5adb635077d1b4bd65b183022775a59a378a9c00
change-id: 20250618-toicsti-bug-7822b8e94a32

Best regards,
-- 
Abhinav Saxena <xandfury@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ