Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20230828164117.3608812-1-gnoack@google.com>
Date: Mon, 28 Aug 2023 18:41:16 +0200
From: "Günther Noack" <gnoack@...gle.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: "Hanno Böck" <hanno@...eck.de>, kernel-hardening@...ts.openwall.com, 
	Kees Cook <keescook@...omium.org>, Jiri Slaby <jirislaby@...nel.org>, 
	Geert Uytterhoeven <geert@...ux-m68k.org>, Paul Moore <paul@...l-moore.com>, 
	Samuel Thibault <samuel.thibault@...-lyon.org>, David Laight <David.Laight@...lab.com>, 
	Simon Brand <simon.brand@...tadigitale.de>, Dave Mielke <Dave@...lke.cc>, 
	"Mickaël Salaün" <mic@...ikod.net>, KP Singh <kpsingh@...gle.com>, 
	Nico Schottelius <nico-gpm2008@...ottelius.org>, 
	"Günther Noack" <gnoack@...gle.com>
Subject: [PATCH v3 0/1] Restrict access to TIOCLINUX

Hello!

This is a re-send of a patch by Hanno Böck from 2023-04-02 [1], to restrict the
use of the copy-and-paste functionality in the TIOCLINUX IOCTL.

These copy-and-paste operations can be misused in the same way as the TIOCSTI
IOCTL, which can be disabled with a CONFIG option, since commit 83efeeeb3d04
("tty: Allow TIOCSTI to be disabled") and commit 690c8b804ad2 ("TIOCSTI: always
enable for CAP_SYS_ADMIN").  With this option set to N, the use of TIOCSTI
requires CAP_SYS_ADMIN.

We believe that it should be OK to not make this configurable: For TIOCLINUX's
copy-and-paste subcommands, the only known usage so far is GPM.  I have
personally verified that this continues to work, as GPM runs as root.

The number of affected programs should be much lower than it was the case for
TIOCSTI (as TIOCLINUX only applies to virtual terminals), and even in the
TIOCLINUX case, only a handful of legitimate use cases were mentioned.  (BRLTTY,
tcsh, Emacs, special versions of "mail").  I have high confidence that GPM is
the only existing usage of that copy-and-paste feature.

(If configurability is really required, the way to be absolutely sure would be
to introduce a CONFIG option for it as well -- but it would be a pretty obscure
option to have, but we can do that if needed.)

Changes in v3:
 - Added missing Signed-off-by: line

Changes in v2:
 - Rebased to Linux v6.5
 - Reworded commit message a bit
 - Added Tested-By

[1] https://lore.kernel.org/all/20230402160815.74760f87.hanno@hboeck.de/

Hanno Böck (1):
  tty: Restrict access to TIOCLINUX' copy-and-paste subcommands

 drivers/tty/vt/vt.c | 6 ++++++
 1 file changed, 6 insertions(+)


base-commit: 2dde18cd1d8fac735875f2e4987f11817cc0bc2c
-- 
2.42.0.rc2.253.gd59a3bf2b4-goog

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.