Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp6486956rdb;
        Tue, 2 Jan 2024 03:52:09 -0800 (PST)
X-Google-Smtp-Source: AGHT+IENfw2S8Q+PG5+tp45Zv+Hpn8e338i/c5pkdwuLCB1UhF2rOVo2Bo42ofhZV7XCZTDRodj1
X-Received: by 2002:a17:906:885:b0:a23:4973:eda5 with SMTP id n5-20020a170906088500b00a234973eda5mr7655052eje.126.1704196329214;
        Tue, 02 Jan 2024 03:52:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704196329; cv=none;
        d=google.com; s=arc-20160816;
        b=QdyPm2tmg5zkExO8HgK7znoGK7JBn7srGZ5INb9MKrfIOT0TC8tSWEFEKAuFWpI5wj
         2kTLkAG3gtQKoCac0XUjXcE5MLtL7gjYA6SKkUOIbKR9Ex8CptRcpGUkRfAV7dOhGl/v
         nonUFE65eRadWhcv1HTWDifmtYP6XJNBx/0lnIKFi+HzRxnH/3VhfcErBJgn+s51Pllz
         LExKlldgG7xuaGw114+/QeCbnYHoOWCU50bitl3jXIVmdZjqEL6q1l3ITbgejyTNGqC5
         UfK3GB9Oy6ktDFbGo85eFkU/zm4rtFZfPuxjdEzdJoPTPbn7xmqL0lUc/zoNH4RNc8hS
         VQGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=wtshaUvWcIll/YE0qGr+R8oYwkuR0IakjNuI66piGLc=;
        fh=qboFWmj/uCtCCr+eQN0ybWKW/Sr3nyMPRFmpFjNR3fQ=;
        b=VMtEYy0qVnGE+8NkPKiAJR/JzdBDj/qYHXvmak0vGgiVPxQqqkJnrqiu8e8eZ+mTet
         LnAwkHMKN/P0OpUxnkEVnXlyVzUlLiQHWFfWDhZTOphBCXRsfzY5AND9DpI/1uNP4JEY
         OWVT6z0xidWX3cDd7to1ozwDqp3JMb4tAx4xtCHJo5qGMwchka0qe+gAXjjLwR/m8rQi
         6am4oQbjD6rcDLRM0qKcvR4JCqbK6DeGwNpUmVwmSJUS9kBeXXu7XHQCspjWRU/WmG1u
         DJvlQjjWtNKtX0QNoiqQnBKSi02pbmFmkYh1z8kst4OapLYsaYbjD6dnfZdf3fxTYfaC
         srCA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tCYWBjpU;
       spf=pass (google.com: domain of linux-kernel+bounces-14313-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-14313-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel+bounces-14313-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id m23-20020a1709062b9700b00a27cf6dfad8si2190094ejg.594.2024.01.02.03.52.09
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jan 2024 03:52:09 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-14313-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tCYWBjpU;
       spf=pass (google.com: domain of linux-kernel+bounces-14313-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-14313-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id EE70F1F226A7
	for <linux.lists.archive@gmail.com>; Tue,  2 Jan 2024 11:52:08 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C0FCDF9E0;
	Tue,  2 Jan 2024 11:51:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="tCYWBjpU"
X-Original-To: linux-kernel@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C52D9F9D6;
	Tue,  2 Jan 2024 11:51:43 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C438CC433CA;
	Tue,  2 Jan 2024 11:51:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1704196303;
	bh=7fkeBiP+TEUkDqsp/rCPTtcoASRwZlnzRxpDI+DWABE=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=tCYWBjpUo9bbzyzm91kRqX9kmucLKjrQEfbMIpoSCEcKuQ0EX5MO1Sr1IB++DlLAJ
	 fC9ACgwsYhndj+nD73eUOHRDl2TA6jN61hJV6iK3iS2LuoohxhI2O+MHaJJ17GuM0v
	 UR9JyhWdHIirSt8g3DJm6tj6c1/guWiKHkIxCVZc=
Date: Tue, 2 Jan 2024 12:51:40 +0100
From: Greg KH <gregkh@linuxfoundation.org>
To: =?utf-8?B?5a2f5pWs5ae/?= <mengjingzi@iie.ac.cn>
Cc: jirislaby@kernel.org, linux-kernel@vger.kernel.org,
	linux-serial@vger.kernel.org
Subject: Re: inappropriate capability checks in tty_ioctl()
Message-ID: <2024010247-polio-brittle-1b23@gregkh>
References: <19ed91a4.10d80.18cc9f7d2ea.Coremail.mengjingzi@iie.ac.cn>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <19ed91a4.10d80.18cc9f7d2ea.Coremail.mengjingzi@iie.ac.cn>

On Tue, Jan 02, 2024 at 07:38:31PM +0800, 孟敬姿 wrote:
> Hi!
> 
> We would like to propose an adjustment to the capability checks in the tty_ioctl() function. Currently, the function uses CAP_SYS_ADMIN to protect three subcommands: TIOCCONS, TIOCSTI and TIOCVHANGUP. We propose updating this to use CAP_SYS_TTY_CONFIG instead for the following reasons:
> 
> (1) CAP_SYS_TTY_CONFIG is more relevant to the functions: The three subcommands are responsible for tty-related functions: redirecting console output (TIOCCONS), faking input to a terminal (TIOCSTI), and making the terminal be hung up (TIOCVHANGUP). As the definitions in the capability manual page[1], CAP_SYS_TTY_CONFIG is specifically designed for "employing various privileged ioctl(2) operations on virtual terminals." This aligns more closely with the intended usage scenario compared to CAP_SYS_ADMIN.
> 
> (2) Consistency: CAP_SYS_TTY_CONFIG is already employed in other parts of the kernel to protect TIOCVHANGUP-like functionality. For instance, in tty_ioctl() CAP_SYS_ADMIN is used before tty_vhangup(), while in SYSCALL_DEFINE0(vhangup), which located in fs/open.c, the check is done with CAP_SYS_TTY_CONFIG before tty_vhangup().
> 
> (3) Maintaining Least Privilege: CAP_SYS_ASMIN is already overloaded and known as the new "root"[2]. According to the manual page[1] “don't choose CAP_SYS_ADMIN if you can possibly avoid it”, switching to CAP_SYS_TTY_CONFIG could be helpful for standardizing the use of capabilities and implementing least privileges. 
> 
> This issue exists in several kernel versions and we have checked it on the latest stable release(Linux 6.6.9). We would appreciate your thoughts and feedback on this proposal. Thank you for your time and consideration.

What would break if you made such a change?  Have you tried it and
tested it out?

Also, if you wish to have a change accepted, we need an actual patch to
apply, that shows you did the work and research to ensure that it will
work properly.

thanks,

greg k-h