Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp3810162rwl; Tue, 27 Dec 2022 15:54:58 -0800 (PST) X-Google-Smtp-Source: AMrXdXt63ZcKBXPbrOdSm9Dzhtq+icuMYgWzXpWNFz3LdRpjBklSpp7uEwMikS8mpErJrxNrO849 X-Received: by 2002:a17:906:bc1:b0:7fd:eb9e:6fd5 with SMTP id y1-20020a1709060bc100b007fdeb9e6fd5mr18993672ejg.45.1672185298261; Tue, 27 Dec 2022 15:54:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672185298; cv=none; d=google.com; s=arc-20160816; b=ye5scuKpo7qB9WoYg+WHFYhrDUkV2We50c47kI1gM+aJw2zTM5GjZjaVryCjWURfq6 1P5wujOSJxNkVZCoOfumg+bD6QUGqwWMNZFGyVuohnL4dlT0gWJM6IZCPmTxOibpJO2p XD22m8c9FxNLiNjmf5CEkIYGhYT2pWbHaqrk0bApJiPPlbxQT1puOlu04FA7f1UMQUNC s417grIVbKxvqZ65P4TdNeBDuVUWkDNWxEbAOd+j9EbV/7Koz3qJepFrh7cQiHvNCKce Ob/tLemB89bNkWo97EJ/bZ+cDgzoY8fAAU4v1r/BVdrMRQTaoFLWHXQCVWOiXIdbI+Wd rvUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:organization:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:mail-followup-to:message-id:subject:to:from:date; bh=Y8xsbuZV3pUAvjEbl9qTpKGXLitecrNSwQQYLYy8Vbo=; b=TeNN+UK97bKv0A6Etf9KRnDKCAFulu12EAhWq1GuP8pWdB2A2pRL8Z+YSGPfdq/Smg tnE5pgahaXVOSBBfmqLpcC+d4HS33XyDwhhg0ZLUoehsFna4wT7oay7MFDdpBQ+7Q3lo TsI5gyAisX97aWlnFYCMAbLkM/u2HvnPPjaJxyMFmDvMIjSqTW25P/aM28hZUMSEm6JX FZ39451uV0VXJHqVjQHxoE2XNqk1W4prm7cEMERQ9rw6Vk4fWSPETtsbdRji+O1uFbHR 6el0UDwhEck/pjp+Fq4qY8zDNetnT3RdEbkniGW/tJzPYCoZXSqobpDR1FwvzUkHgIqN yIeg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb31-20020a1709076d9f00b007c4fda74f69si11862935ejc.241.2022.12.27.15.54.42; Tue, 27 Dec 2022 15:54:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230037AbiL0Xts (ORCPT + 66 others); Tue, 27 Dec 2022 18:49:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40774 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229665AbiL0Xtn (ORCPT ); Tue, 27 Dec 2022 18:49:43 -0500 X-Greylist: delayed 458 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 27 Dec 2022 15:49:41 PST Received: from hera.aquilenet.fr (hera.aquilenet.fr [IPv6:2a0c:e300::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E640F1025; Tue, 27 Dec 2022 15:49:40 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 706E51725; Wed, 28 Dec 2022 00:42:01 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xU42aC6-5EEs; Wed, 28 Dec 2022 00:42:00 +0100 (CET) Received: from begin.home (2a01cb008c016e00de41a9fffe47ec49.ipv6.abo.wanadoo.fr [IPv6:2a01:cb00:8c01:6e00:de41:a9ff:fe47:ec49]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 7DE431721; Wed, 28 Dec 2022 00:42:00 +0100 (CET) Received: from samy by begin.home with local (Exim 4.96) (envelope-from ) id 1pAJa3-000Rnb-34; Wed, 28 Dec 2022 00:41:59 +0100 Date: Wed, 28 Dec 2022 00:41:59 +0100 From: Samuel Thibault To: Kees Cook , Greg Kroah-Hartman , Jiri Slaby , Simon Brand , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v3 2/2] tty: Allow TIOCSTI to be disabled Message-ID: <20221227234159.y53uxqc6i2tkd4nq@begin> Mail-Followup-To: Samuel Thibault , Kees Cook , Greg Kroah-Hartman , Jiri Slaby , Simon Brand , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org References: <20221022182828.give.717-kees@kernel.org> <20221022182949.2684794-2-keescook@chromium.org> <20221227234000.jgosvixx7eahqb3z@begin> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20221227234000.jgosvixx7eahqb3z@begin> Organization: I am not organized User-Agent: NeoMutt/20170609 (1.8.3) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Samuel Thibault, le mer. 28 déc. 2022 00:40:00 +0100, a ecrit: > Hello, > > Kees Cook, le sam. 22 oct. 2022 11:29:49 -0700, a ecrit: > > TIOCSTI continues its long history of being used in privilege escalation > > attacks[1]. Prior attempts to provide a mechanism to disable this have > > devolved into discussions around creating full-blown LSMs to provide > > arbitrary ioctl filtering, which is hugely over-engineered -- only > > TIOCSTI is being used this way. 3 years ago OpenBSD entirely removed > > TIOCSTI[2], Android has had it filtered for longer[3], and the tools that > > had historically used TIOCSTI either do not need it, are not commonly > > built with it, or have had its use removed. > > No. The Brltty screen reader entirely relies on TIOCSTI to be able to > support input from various Braille devices. (it only needs support for it on the linux console itself, nowhere else) > Please make sure to keep > TIOCSTI enabled by default, otherwise some people would just completely > lose their usual way of simply typing on Linux. > > Samuel > > > Provide a simple CONFIG and global sysctl to disable this for the system > > builders who have wanted this functionality for literally decades now, > > much like the ldisc_autoload CONFIG and sysctl. > > > > [1] https://lore.kernel.org/linux-hardening/Y0m9l52AKmw6Yxi1@hostpad > > [2] https://undeadly.org/cgi?action=article;sid=20170701132619 > > [3] https://lore.kernel.org/lkml/CAFJ0LnFGRuEEn1tCLhoki8ZyWrKfktbF+rwwN7WzyC_kBFoQVA@mail.gmail.com/ > > > > Cc: Greg Kroah-Hartman > > Cc: Jiri Slaby > > Cc: Simon Brand > > Signed-off-by: Kees Cook > > --- > > drivers/tty/Kconfig | 19 +++++++++++++++++++ > > drivers/tty/tty_io.c | 11 +++++++++++ > > 2 files changed, 30 insertions(+) > > > > diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig > > index cc30ff93e2e4..d35fc068da74 100644 > > --- a/drivers/tty/Kconfig > > +++ b/drivers/tty/Kconfig > > @@ -149,6 +149,25 @@ config LEGACY_PTY_COUNT > > When not in use, each legacy PTY occupies 12 bytes on 32-bit > > architectures and 24 bytes on 64-bit architectures. > > > > +config LEGACY_TIOCSTI > > + bool "Allow legacy TIOCSTI usage" > > + default y > > + help > > + Historically the kernel has allowed TIOCSTI, which will push > > + characters into a controlling TTY. This continues to be used > > + as a malicious privilege escalation mechanism, and provides no > > + meaningful real-world utility any more. > > Yes it does. > > > + Its use is considered > > + a dangerous legacy operation, and can be disabled on most > > + systems. > > + > > + Say 'Y here only if you have confirmed that your system's > > + userspace depends on this functionality to continue operating > > + normally. > > + > > + This functionality can be changed at runtime with the > > + dev.tty.legacy_tiocsti sysctl. This configuration option sets > > + the default value of the sysctl. > > + > > config LDISC_AUTOLOAD > > bool "Automatically load TTY Line Disciplines" > > default y > > diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c > > index fe77a3d41326..a6a16cf986b7 100644 > > --- a/drivers/tty/tty_io.c > > +++ b/drivers/tty/tty_io.c > > @@ -2268,11 +2268,15 @@ static int tty_fasync(int fd, struct file *filp, int on) > > * * Called functions take tty_ldiscs_lock > > * * current->signal->tty check is safe without locks > > */ > > +static bool tty_legacy_tiocsti __read_mostly = IS_ENABLED(CONFIG_LEGACY_TIOCSTI); > > static int tiocsti(struct tty_struct *tty, char __user *p) > > { > > char ch, mbz = 0; > > struct tty_ldisc *ld; > > > > + if (!tty_legacy_tiocsti) > > + return -EIO; > > + > > if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) > > return -EPERM; > > if (get_user(ch, p)) > > @@ -3573,6 +3577,13 @@ void console_sysfs_notify(void) > > } > > > > static struct ctl_table tty_table[] = { > > + { > > + .procname = "legacy_tiocsti", > > + .data = &tty_legacy_tiocsti, > > + .maxlen = sizeof(tty_legacy_tiocsti), > > + .mode = 0644, > > + .proc_handler = proc_dobool, > > + }, > > { > > .procname = "ldisc_autoload", > > .data = &tty_ldisc_autoload, > > -- > > 2.34.1 > > > > -- > Samuel > --- > Pour une évaluation indépendante, transparente et rigoureuse ! > Je soutiens la Commission d'Évaluation de l'Inria. -- Samuel --- Pour une évaluation indépendante, transparente et rigoureuse ! Je soutiens la Commission d'Évaluation de l'Inria.