From: dac.override@gmail.com (Dominick Grift) Date: Sat, 5 Mar 2016 14:33:55 +0100 Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability In-Reply-To: <56DACE7F.7090502@m4x.org> References: <1457057118-4361-1-git-send-email-aranea@aixah.de> <56D98968.30104@tresys.com> <56D9AFA9.503@gmail.com> <56DACE7F.7090502@m4x.org> Message-ID: <56DAE043.2030002@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/05/2016 01:18 PM, Nicolas Iooss wrote: > On 03/04/2016 04:54 PM, Dominick Grift wrote: >> On 03/04/2016 02:11 PM, Christopher J. PeBenito wrote: >>> On 3/3/2016 9:05 PM, Luis Ressel wrote: >>>> It's required for agetty on kernels with a recent grsecurity >>>> patchset. (The denial itself has been showing up for quite >>>> some time, but it hasn't had any obvious ill effects until >>>> recently.) >> >>> I'm reluctant to add this because it is a significant >>> permission and grsecurity is not commonly used with SELinux, to >>> my knowledge. >> >> >> My getty requests this permission as well [1] and i am not using >> grsecurity. Although, i am not sure if the permission is >> absolutely needed. (then again I do not believe that it requests >> it for its health alone) > > Hello, as I was wondering what was behind agetty requiring > sys_admin capabilities and what would happen if the access is > denied, I took a look to its source code. The TIOCSTI ioctl (the > mechanism which allows injecting characters in a terminal input > queue) seems to only been used in a function named > wait_for_term_input [1]. This allows the user input to be seen as > a "normal input" while wait_for_term_input temporarily configured > the terminal with ICANON, ECHO... attributes disabled. > > If the ioctl(fd, TIOCSTI, buffer + i) call fails (for example > because sys_admin is not granted by SELinux), this is silently > ignored. As far as I understand the code, wait_for_term_input > function is only used at the beginning of the login prompt (the > characters are echoed to the terminal) and not the password prompt. > Therefore the user may get the feeling that the first typed > character has been dropped somewhere. Is that so? Are there other > annoyances that I missed in my quick analysis? > > Anyway, before grsecurity added a test for sys_admin when a process > uses TIOCSTI ioctl on its own tty, the capability has already been > granted when distro_redhat is enabled. The comment which is > associated to this access, "getty requires sys_admin #209426", is > not clear to me. Where could I find more information about this > bug report? > Seems to be a private bug report https://bugzilla.redhat.com/show_bug.cgi?id=209426 I personally am of the opinion that we generally should not decide what a process can and cannot do. If it requests it, and if it is not a bug then I think it should be allowed. > Cheers, Nicolas > > [1] > https://git.kernel.org/cgit/utils/util-linux/util-linux.git/tree/term- utils/agetty.c?h=v2.27.1#n1659 > > _______________________________________________ > refpolicy mailing list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW2uA/AAoJECV0jlU3+UdpI+AMAI4FKdRYnomRI8MQMvdijRm4 G4K2/sx2iTLV+UlnB06I4J7J6Sfm5kwyjbkMrHH9+t+NoiZLWqCxlTk9q7fN/Ktx XC0BSPQOltJ+/BN2ohWF8or4VZb2Re9gnqwl0EtOuID9ekFJuwdixFHhFcTGBPMm 4B3W6uR7sSY9cNeNJOZ0pJjciUNktNeupgBV1MDbFyeSG0wNvnAzxeYUoEnE25Sw HnTBN+/8fk9kGeTSl3ShCxvLhBluOVqQCVmq5ZdnsUGP95uPn1/XUUgy146epXGx +Mmy7lcEUPviBMhKq5IrUsYbZJoPMZr6Xdd/W5j2J0EUyY21W0lIbDLd4ica5Qsy sqsd4OCL785BHJFD/eLK2LlPR696aISlCcjpp96+nUbz8M2i8zJzxhSbk/sByeQH IizWBtfmShq9NegQKQU8HbX3uVSXJ2Eu6w+74WuUnHsCMQvhbT9llNn5bV6FRagS LkFLjXFmWnuFw3QhcYLZ4HoljUBBupqCtpJhSlOD0w== =5N+h -----END PGP SIGNATURE-----