kernel-hardening - Re: Re: [PATCH] make TIOCSTI ioctl require CAP_SYS

Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170420152459.GA14726@mail.hallyn.com>
Date: Thu, 20 Apr 2017 10:24:59 -0500
From: "Serge E. Hallyn" <serge@...lyn.com>
To: "Serge E. Hallyn" <serge@...lyn.com>
Cc: Matt Brown <matt@...tt.com>, jmorris@...ei.org,
	gregkh@...uxfoundation.org, jslaby@...e.com,
	akpm@...ux-foundation.org, jannh@...gle.com, keescook@...omium.org,
	kernel-hardening@...ts.openwall.com,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: Re: [PATCH] make TIOCSTI ioctl require
 CAP_SYS_ADMIN

Quoting Serge E. Hallyn (serge@...lyn.com):
> Quoting Matt Brown (matt@...tt.com):
> > On 04/19/2017 07:53 PM, Serge E. Hallyn wrote:
> > >Quoting Matt Brown (matt@...tt.com):
> > >>On 04/19/2017 12:58 AM, Serge E. Hallyn wrote:
> > >>>On Tue, Apr 18, 2017 at 11:45:26PM -0400, Matt Brown wrote:
> > >>>>This patch reproduces GRKERNSEC_HARDEN_TTY functionality from the grsecurity
> > >>>>project in-kernel.
> > >>>>
> > >>>>This will create the Kconfig SECURITY_TIOCSTI_RESTRICT and the corresponding
> > >>>>sysctl kernel.tiocsti_restrict that, when activated, restrict all TIOCSTI
> > >>>>ioctl calls from non CAP_SYS_ADMIN users.
> > >>>>
> > >>>>Possible effects on userland:
> > >>>>
> > >>>>There could be a few user programs that would be effected by this
> > >>>>change.
> > >>>>See: <https://codesearch.debian.net/search?q=ioctl%5C%28.*TIOCSTI>
> > >>>>notable programs are: agetty, csh, xemacs and tcsh
> > >>>>
> > >>>>However, I still believe that this change is worth it given that the
> > >>>>Kconfig defaults to n. This will be a feature that is turned on for the
> > >>>
> > >>>It's not worthless, but note that for instance before this was fixed
> > >>>in lxc, this patch would not have helped with escapes from privileged
> > >>>containers.
> > >>>
> > >>
> > >>I assume you are talking about this CVE:
> > >>https://bugzilla.redhat.com/show_bug.cgi?id=1411256
> > >>
> > >>In retrospect, is there any way that an escape from a privileged
> > >>container with the this bug could have been prevented?
> > >
> > >I don't know, that's what I was probing for.  Detecting that the pgrp
> > >or session - heck, the pid namespace - has changed would seem like a
> > >good indicator that it shouldn't be able to push.
> > >
> > 
> > pgrp and session won't do because in the case we are discussing
> > current->signal->tty is the same as tty.
> > 
> > This is the current check that is already in place:
> >  | if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
> >  | 	return -EPERM;
> 
> Yeah...
> 
> > The only thing I could find to detect the tty message coming from a
> > container is as follows:
> >  | task_active_pid_ns(current)->level
> > 
> > This will be zero when run on the host, but 1 when run inside a
> > container. However this is very much a hack and could probably break
> > some userland stuff where there are multiple levels of namespaces.
> 
> Yes.  This is also however why I don't like the current patch, because
> capable() will never be true in a container, so nested containers break.
> 
> What does current->signal->tty->pgrp actually point to?  Can we take
> it to be the pgrp which opened it?  Could we check
> ns_capable(current_pid_ns()->user_ns, CAP_whatever) and get a meaningful
> answer?
> 

Ok I see that's meaningless, you can't get pidns from pid.  We could
instead add a user_ns *owner to the struct tty and store the user_ns
of the task which opened it.  It's more invasive, but also more
meaningful.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.