Possibility to disable icotl TIOCSTI

From: Simon Brand
Date: Thu Oct 06 2022 - 14:54:19 EST


in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
None of them are present in the current kernel.
Since those tries there have been some security issues (sandbox
escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
runuser [4], su [5]).

I ask to merge the patches from linux-hardening [6, 7] so users can
opt out of this behavior. These patches provide the
`SECURITY_TIOCSTI_RESTRICT` Kconfig (default no) and a
`tiocsti_restrict` sysctl.

Escapes can be reproduced easiliy (on archlinux) via a python script:
import fcntl
import termios
with open("/dev/tty", "w") as fd:
for c in "id\n":
fcntl.ioctl(fd, termios.TIOCSTI, c)
Now run as root:
# su user
$ python3 /path/to/script.py ; exit
uid=0(root) ...

At least to me, this result was not expected.

I asked it before on kernelnewbies mailing list. [8]
Please set me in CC, because I have not subscribed to this list.

Best and thank you,

[0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@xxxxxxxxxxxxxx/T/
[1] https://lkml.kernel.org/lkml/20170420174100.GA16822@xxxxxxxxxxxxxxx/T/
[2] https://github.com/flatpak/flatpak/issues/2782
[3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
[6] https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579
[7] https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da3989
[8] https://www.spinics.net/lists/newbies/msg64019.html