Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <ZN+X6o3cDWcLoviq@google.com>
Date: Fri, 18 Aug 2023 18:10:18 +0200
From: "Günther Noack" <gnoack@...gle.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: "Hanno Böck" <hanno@...eck.de>, kernel-hardening@...ts.openwall.com, 
	Kees Cook <keescook@...omium.org>, Jiri Slaby <jirislaby@...nel.org>, 
	Geert Uytterhoeven <geert@...ux-m68k.org>, Paul Moore <paul@...l-moore.com>, 
	Samuel Thibault <samuel@...-lyon.org>, David Laight <David.Laight@...lab.com>, 
	Simon Brand <simon.brand@...tadigitale.de>, Dave Mielke <Dave@...lke.cc>, 
	"Mickaël Salaün" <mic@...ikod.net>
Subject: Re: [PATCH] Restrict access to TIOCLINUX

Hello!

+CC the people involved in TIOCSTI

This patch seems sensible to me --
and I would like to kindly ask you to reconsider it.

On Sun, Apr 02, 2023 at 07:23:44PM +0200, Greg KH wrote:
> On Sun, Apr 02, 2023 at 07:16:52PM +0200, Hanno Böck wrote:
> > On Sun, 2 Apr 2023 16:55:01 +0200
> > Greg KH <gregkh@...uxfoundation.org> wrote:
> > 
> > > You just now broke any normal user programs that required this (or the
> > > other ioctls), and so you are going to have to force them to be run
> > > with CAP_SYS_ADMIN permissions? 
> > 
> > Are you aware of such normal user programs?
> > It was my impression that this is a relatively obscure feature and gpm
> > is pretty much the only tool using it.
> 
> "Pretty much" does not mean "none" :(

This patch only affects TIOCLINUX subcodes which are responsible for text
cut-and-paste, TIOCL_SETSEL, TIOCL_PASTESEL and TIOCL_SELLOADLUT.

The only program that I am aware of which uses cut&paste on the console is gpm.
My web searches for these subcode names have only surfaced Linux header files
and discussions about their security problems.


> > > And you didn't change anything for programs like gpm that already had
> > > root permission (and shouldn't that permission be dropped anyway?)
> > 
> > Well, you could restrict all that to a specific capability. However, it
> > is my understanding that the existing capability system is limited in
> > the number of capabilities and new ones should only be introduced in
> > rare cases. It does not seem a feature probably few people use anyway
> > deserves a new capability.
> 
> I did not suggest that a new capability be created for this, that would
> be an abust of the capability levels for sure.
> 
> > Do you have other proposals how to fix this issue? One could introduce
> > an option like for TIOCSTI that allows disabling selection features by
> > default.
> 
> What exact issue are you trying to fix here?

It's the same problem as with TIOCSTI, which got (optionally) disabled for
non-CAP_SYS_ADMIN in commit 83efeeeb3d04 ("tty: Allow TIOCSTI to be disabled")
and commit 690c8b804ad2 ("TIOCSTI: always enable for CAP_SYS_ADMIN").

The number of exploits which have used TIOCSTI in the past is long[1] and has
affected multiple sandboxing and sudo-like tools.  If the user is using the
console, TIOCLINUX's cut&paste functionality can replace TIOCSTI in these
exploits.

We have this problem with the Landlock LSM as well, with both TIOCSTI and these
TIOCLINUX subcodes.

Here is an example scenario:

* User runs a vulnerable version of the "ping" command from the console.

* The "ping" command is a hardened version which puts itself into a Landlock
  sandbox, but it still has the TTY FD through stdout.

* Ping gets buffer-overflow-exploited by an attacker through ping responses.

* The attacker can't directly access the file system, but the attacker can
  escape the sandbox by controlling the surrounding (non-sandboxed) shell on its
  terminal through TIOCLINUX.

The ping example is not completely made up -- FreeBSD had such a vulnerability
in its ping utility in 2022[2].  The impact of the vulnerability was mitigated
by FreeBSD's Capsicum sandboxing.

The correct solution for the problem on Linux is to my knowledge to create a
pty/tty pair, but that is somewhat impractical for small utilities like ping, in
order to restrict themselves (they would need to create a sidecar process to
shovel the data back and forth).  Workarounds include setsid() and seccomp-bpf,
but they also have their limits and are not a clean solution.  We've previously
discussed it in [3].

I do believe that requiring CAP_SYS_ADMIN for TIOCLINUX's TIOCL_PASTESEL subcode
would be a better approach than so many sudo-style and sandboxing tools having
to learn this lesson the hard way.  Can we please reconsider this patch?

—Günther

[1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=TIOCSTI
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc
[3] https://lore.kernel.org/all/20230626.0a8f70d4228e@gnoack.org/

-- 
Sent using Mutt 🐕 Woof Woof

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.