Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp15359734rwd; Sun, 25 Jun 2023 16:05:24 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6Vg1/b8CEY3RHenw/lSA2SkwNTOji0UXmfwfOOw34FgVZB7tBCXpjEZ1/ldCyUfpJ1GQpG X-Received: by 2002:a05:6a00:cc5:b0:654:ab4:305 with SMTP id b5-20020a056a000cc500b006540ab40305mr35265034pfv.2.1687734323998; Sun, 25 Jun 2023 16:05:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687734323; cv=none; d=google.com; s=arc-20160816; b=ZYbFqWYqx3jZdmbawXuMic5mRhMXrOH1dYK9+Ifq2YbM8J5Khvm1jYeXsR2Ypmc/B2 aDOsZQzJM3KxbroCnUV0A1hhXmNXeSFWbwN9VynGWomjUzMYadNaIXBKNadTTzc5FP0p XAVGqJRo/KmPXJqqENsUqHMtxThBzyH9C2QIJ9K4N6JGK8/DI2WbUCOyFZ9A3j97jmif AwMX9cSKEuJIly8beIfdIwPzyDIySBmZQXstYwZz5NudulMCialkyWtcaRE9mhJgSHXG LvPI92P2xHvWfahV49x98ktZnRZolp7ZyZDvgA3KjfXbIYKfHI14mY7q9zsdr5Amap+R B/0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:organization:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:mail-followup-to:message-id:subject:to:from:date; bh=NbdesgkKHUhqFCdYPU7P+sPT7Sqd0A5QK3y3WuU4U1k=; fh=UuxUVEypF2BxwN3zbGj2Vc4SQ8nj+Lxi4Gbvccu82mM=; b=Izs/RalrpMlFkY6h4eSBV2yemq/8AphQRWGzs3SqQWyFpBnglB0Fsu5KGZvu2BmJnb b8gse48Y5jouMtbOOgVZDEUC7T8LuBO7zYeJ1iWck7QarppGsdXo5M1EJJFKX/WYWh/+ HSMjbCZAtJtoohsi2x4rLvu/AeN6YItUMJCsFN50kRLo44nm/y1Qv+er3ml4EU3j4LfZ dBnzlUgAGz9WB7jBICzixdKVWinxZ0cPgQsTl67me9wYfi8K+IlVqPG96k0HW+r+go3k c9zS36Nasgh3UgpC9h5+ZrhU6AsSq2VwPy8HXr5hRc/cWMm3pl1YcT+2ceGx9yx+g36L sSXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id eg7-20020a056a00800700b006787eff7ac6si431307pfb.404.2023.06.25.16.05.10; Sun, 25 Jun 2023 16:05:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229480AbjFYWSN (ORCPT + 99 others); Sun, 25 Jun 2023 18:18:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229454AbjFYWSL (ORCPT ); Sun, 25 Jun 2023 18:18:11 -0400 X-Greylist: delayed 534 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 25 Jun 2023 15:18:08 PDT Received: from hera.aquilenet.fr (hera.aquilenet.fr [IPv6:2a0c:e300::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2FC3187 for ; Sun, 25 Jun 2023 15:18:08 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 489BE1D38 for ; Mon, 26 Jun 2023 00:09:05 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNXRzKPZ_Z3I for ; Mon, 26 Jun 2023 00:09:04 +0200 (CEST) Received: from begin (reverse-177-225.fdn.fr [80.67.177.225]) by hera.aquilenet.fr (Postfix) with ESMTPSA id BC213178E for ; Mon, 26 Jun 2023 00:09:04 +0200 (CEST) Received: from samy by begin with local (Exim 4.96) (envelope-from ) id 1qDXuq-008GQB-1N for linux-kernel@vger.kernel.org; Mon, 26 Jun 2023 00:09:04 +0200 Date: Sun, 25 Jun 2023 17:56:25 +0200 From: Samuel Thibault To: Kees Cook , Kees Cook , Greg Kroah-Hartman , Jiri Slaby , Simon Brand , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Dave@mielke.cc Subject: Re: [PATCH v3 2/2] tty: Allow TIOCSTI to be disabled Message-ID: <20230625155625.s4kvy7m2vw74ow4i@begin> Mail-Followup-To: Samuel Thibault , Kees Cook , Kees Cook , Greg Kroah-Hartman , Jiri Slaby , Simon Brand , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Dave@mielke.cc References: <20221022182828.give.717-kees@kernel.org> <20221022182949.2684794-2-keescook@chromium.org> <20221227234000.jgosvixx7eahqb3z@begin> <20221228205726.rfevry7ud6gmttg5@begin> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20221228205726.rfevry7ud6gmttg5@begin> Organization: I am not organized User-Agent: NeoMutt/20170609 (1.8.3) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, Samuel Thibault, le mer. 28 déc. 2022 21:57:26 +0100, a ecrit: > Kees Cook, le mar. 27 déc. 2022 19:32:55 -0800, a ecrit: > > On December 27, 2022 3:40:00 PM PST, Samuel Thibault wrote: > > >Kees Cook, le sam. 22 oct. 2022 11:29:49 -0700, a ecrit: > > >> TIOCSTI continues its long history of being used in privilege escalation > > >> attacks[1]. Prior attempts to provide a mechanism to disable this have > > >> devolved into discussions around creating full-blown LSMs to provide > > >> arbitrary ioctl filtering, which is hugely over-engineered -- only > > >> TIOCSTI is being used this way. 3 years ago OpenBSD entirely removed > > >> TIOCSTI[2], Android has had it filtered for longer[3], and the tools that > > >> had historically used TIOCSTI either do not need it, are not commonly > > >> built with it, or have had its use removed. > > > > > >No. The Brltty screen reader entirely relies on TIOCSTI to be able to > > >support input from various Braille devices. Please make sure to keep > > >TIOCSTI enabled by default, otherwise some people would just completely > > >lose their usual way of simply typing on Linux. > > > > Yup, it remains default enabled: > > Yes, but thining of it, very soon people in various security-sensitive > distributions will disable it, as they should indeed. And people who > need to use their Braille device on such distributions will get stuck. And as expected, it did get disabled in Debian for instance, very much to the dismay of blind users, whose keyboard suddenly stopped working at all after rebooting with a Linux 6.3 kernel!... > Can we perhaps just introduce a CAP_TIOCSTI that the brltty daemon would > be able to use? We could even make it only allow TIOCSTI on the linux > console (tty->ops == con_ops). *Please* comment on this so we can progress. ATM people are advising each other to set dev.tty.legacy_tiocsti=1, which is just counter-productive in terms of security... Really, this a serious regression for the people affected by this. Samuel