Re: [PATCH v3 2/2] tty: Allow TIOCSTI to be disabled
From: Geert Uytterhoeven
Date: Tue Nov 15 2022 - 08:17:32 EST
Hi Kees,
On Sat, Oct 22, 2022 at 9:14 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> TIOCSTI continues its long history of being used in privilege escalation
> attacks[1]. Prior attempts to provide a mechanism to disable this have
> devolved into discussions around creating full-blown LSMs to provide
> arbitrary ioctl filtering, which is hugely over-engineered -- only
> TIOCSTI is being used this way. 3 years ago OpenBSD entirely removed
> TIOCSTI[2], Android has had it filtered for longer[3], and the tools that
> had historically used TIOCSTI either do not need it, are not commonly
> built with it, or have had its use removed.
>
> Provide a simple CONFIG and global sysctl to disable this for the system
> builders who have wanted this functionality for literally decades now,
> much like the ldisc_autoload CONFIG and sysctl.
>
> [1] https://lore.kernel.org/linux-hardening/Y0m9l52AKmw6Yxi1@hostpad
> [2] https://undeadly.org/cgi?action=article;sid=20170701132619
> [3] https://lore.kernel.org/lkml/CAFJ0LnFGRuEEn1tCLhoki8ZyWrKfktbF+rwwN7WzyC_kBFoQVA@xxxxxxxxxxxxxx/
>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: Jiri Slaby <jirislaby@xxxxxxxxxx>
> Cc: Simon Brand <simon.brand@xxxxxxxxxxxxxxxx>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Thanks for your patch, which is now commit 83efeeeb3d04b22a ("tty:
Allow TIOCSTI to be disabled") in tty/tty-next.
> --- a/drivers/tty/Kconfig
> +++ b/drivers/tty/Kconfig
> @@ -149,6 +149,25 @@ config LEGACY_PTY_COUNT
> When not in use, each legacy PTY occupies 12 bytes on 32-bit
> architectures and 24 bytes on 64-bit architectures.
>
> +config LEGACY_TIOCSTI
> + bool "Allow legacy TIOCSTI usage"
> + default y
Obviously this should either default to n, ...
> + help
> + Historically the kernel has allowed TIOCSTI, which will push
> + characters into a controlling TTY. This continues to be used
> + as a malicious privilege escalation mechanism, and provides no
> + meaningful real-world utility any more. Its use is considered
> + a dangerous legacy operation, and can be disabled on most
> + systems.
> +
> + Say 'Y here only if you have confirmed that your system's
> + userspace depends on this functionality to continue operating
> + normally.
... or the help text should be made less scary.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds