From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sat, 5 Mar 2016 13:18:07 +0100
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
In-Reply-To: <56D9AFA9.503@gmail.com>
References: <1457057118-4361-1-git-send-email-aranea@aixah.de>
	<56D98968.30104@tresys.com> <56D9AFA9.503@gmail.com>
Message-ID: <56DACE7F.7090502@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/04/2016 04:54 PM, Dominick Grift wrote:
> On 03/04/2016 02:11 PM, Christopher J. PeBenito wrote:
>> On 3/3/2016 9:05 PM, Luis Ressel wrote:
>>> It's required for agetty on kernels with a recent grsecurity
>>> patchset. (The denial itself has been showing up for quite some
>>> time, but it hasn't had any obvious ill effects until recently.)
> 
>> I'm reluctant to add this because it is a significant permission
>> and grsecurity is not commonly used with SELinux, to my knowledge.
> 
> 
> My getty requests this permission as well [1] and i am not using
> grsecurity. Although, i am not sure if the permission is absolutely
> needed. (then again I do not believe that it requests it for its
> health alone)

Hello, as I was wondering what was behind agetty requiring sys_admin
capabilities and what would happen if the access is denied, I took a
look to its source code.  The TIOCSTI ioctl (the mechanism which allows
injecting characters in a terminal input queue) seems to only been used
in a function named wait_for_term_input [1].  This allows the user input
to be seen as a "normal input" while wait_for_term_input temporarily
configured the terminal with ICANON, ECHO... attributes disabled.

If the ioctl(fd, TIOCSTI, buffer + i) call fails (for example because
sys_admin is not granted by SELinux), this is silently ignored.  As far
as I understand the code, wait_for_term_input function is only used at
the beginning of the login prompt (the characters are echoed to the
terminal) and not the password prompt.  Therefore the user may get the
feeling that the first typed character has been dropped somewhere.  Is
that so? Are there other annoyances that I missed in my quick analysis?

Anyway, before grsecurity added a test for sys_admin when a process uses
TIOCSTI ioctl on its own tty, the capability has already been granted
when distro_redhat is enabled.  The comment which is associated to this
access, "getty requires sys_admin #209426", is not clear to me.  Where
could I find more information about this bug report?

Cheers,
Nicolas

[1]
https://git.kernel.org/cgit/utils/util-linux/util-linux.git/tree/term-utils/agetty.c?h=v2.27.1#n1659