Possibility to disable icotl TIOCSTI
From: Simon Brand
Date: Thu Oct 06 2022 - 14:54:19 EST
in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063)  and snap (CVE 2019-7303) ,
runuser , su ).
I ask to merge the patches from linux-hardening [6, 7] so users can
opt out of this behavior. These patches provide the
`SECURITY_TIOCSTI_RESTRICT` Kconfig (default no) and a
Escapes can be reproduced easiliy (on archlinux) via a python script:
with open("/dev/tty", "w") as fd:
for c in "id\n":
fcntl.ioctl(fd, termios.TIOCSTI, c)
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
At least to me, this result was not expected.
I asked it before on kernelnewbies mailing list. 
Please set me in CC, because I have not subscribed to this list.
Best and thank you,