Re: [PATCH] tty: change the privilege required for tty operarions
From: 孟敬姿
Date: Mon Jan 15 2024 - 05:01:07 EST
> Tested how?
First of all, this change is not about functionality, only about permissions.
I wrote 3 testcases which calls ioctl() with TIOCSTI, TIOCCONS, TIOCVHANGUP
respectively. Then execute them on the origin kernel and patched kernel.
Running it on both sets of kernels gives the same result. However, through
the system error message, and the kernel log output I added, I confirmed
that the relevant functionality under the origin kernel requires sys_admin,
and under the patched kernel requires sys_tty_config.
Indeed, it doesn't have much to do with the distro either, I just tested it
on Debian, and similar tests can be done on other distros.
> Why did you just change these 3 usages, and not all of them? Why are
> these "safe" but the others not?
There are 5 capability checks in this file, all using sys_admin. The first
one is in the tiocsti function, in commit 690c8b804ad2 ("TIOCSTI: always
enable for CAP_SYS_ADMIN"), sys_admin was introduced for a special
application BRLTTY, so I hesitated to change it. In fact, BRLTTY has both
sys_admin and sys_tty_config, so modify the kernel's permission check, will
not affect BRLTTY's function. The other permission check is located in a
different function, not triggered by ioctl, so it's not written together.
> And most importantly of all, why make this change at all? Who is using
> capabilities these days in a fine-grained way to warrent this type of
> modification?
I guess you are right, there's not a lot of people using capabilities.
But the idea of a least privilege design is still tempting from a
security point of view. The scarce use of capabilities is related to
its problematic implementation, and we hope to promote its use by
improving its implementation. sys_admin is a relatively large privilege,
which may pose a risk to the system (check the cve list:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAP_SYS_ADMIN ), and by
reducing the unnecessary use of sys_admin, we can avoid some of the risks.
In particular, the linux capability has been designed with sys_tty_config,
so it should take over the privileges originally managed by sys_admin
related to TTY.
Best regards,
Jingzi