[kernel-hardening] Re: [PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Matt Brown <matt@nmatt.com>
Cc: jmorris@namei.org, akpm@linux-foundation.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl
Date: Mon, 17 Apr 2017 08:53:45 +0200	[thread overview]
Message-ID: <20170417065345.GC21022@kroah.com> (raw)
In-Reply-To: <20170417060706.28674-4-matt@nmatt.com>

On Mon, Apr 17, 2017 at 02:07:05AM -0400, Matt Brown wrote:
> this patch depends on patch 1 and 2
> 
> enforces restrictions on unprivileged users injecting commands
> into other processes in the same tty session using the TIOCSTI ioctl
> 
> Signed-off-by: Matt Brown <matt@nmatt.com>
> ---
>  drivers/tty/tty_io.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
> index e6d1a65..31894e8 100644
> --- a/drivers/tty/tty_io.c
> +++ b/drivers/tty/tty_io.c
> @@ -2296,11 +2296,15 @@ static int tty_fasync(int fd, struct file *filp, int on)
>   *	FIXME: may race normal receive processing
>   */
>  
> +int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT);
> +
>  static int tiocsti(struct tty_struct *tty, char __user *p)
>  {
>  	char ch, mbz = 0;
>  	struct tty_ldisc *ld;
>  
> +	if (tiocsti_restrict && !capable(CAP_SYS_ADMIN))
> +		return -EPERM;

So, what type of "normal" userspace operations did you just break here?
What type of "not normal" did you break/change?

Why tie this to CAP_SYS_ADMIN as well?  That wasn't listed in your
Kconfig help text.  This seems like an additional capabilities
dependancy that odds are, most people do not want...

>  	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
>  		return -EPERM;

And finally, why doesn't this original check handle what you want to do
already?

I don't understand your "threat model" you wish to address by this
change series, please be a lot more explicit in your patch changelog
descriptions.

thanks,

greg k-h

WARNING: multiple messages have this Message-ID (diff)

From: gregkh@linuxfoundation.org (Greg KH)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl
Date: Mon, 17 Apr 2017 08:53:45 +0200	[thread overview]
Message-ID: <20170417065345.GC21022@kroah.com> (raw)
In-Reply-To: <20170417060706.28674-4-matt@nmatt.com>

On Mon, Apr 17, 2017 at 02:07:05AM -0400, Matt Brown wrote:
> this patch depends on patch 1 and 2
> 
> enforces restrictions on unprivileged users injecting commands
> into other processes in the same tty session using the TIOCSTI ioctl
> 
> Signed-off-by: Matt Brown <matt@nmatt.com>
> ---
>  drivers/tty/tty_io.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
> index e6d1a65..31894e8 100644
> --- a/drivers/tty/tty_io.c
> +++ b/drivers/tty/tty_io.c
> @@ -2296,11 +2296,15 @@ static int tty_fasync(int fd, struct file *filp, int on)
>   *	FIXME: may race normal receive processing
>   */
>  
> +int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT);
> +
>  static int tiocsti(struct tty_struct *tty, char __user *p)
>  {
>  	char ch, mbz = 0;
>  	struct tty_ldisc *ld;
>  
> +	if (tiocsti_restrict && !capable(CAP_SYS_ADMIN))
> +		return -EPERM;

So, what type of "normal" userspace operations did you just break here?
What type of "not normal" did you break/change?

Why tie this to CAP_SYS_ADMIN as well?  That wasn't listed in your
Kconfig help text.  This seems like an additional capabilities
dependancy that odds are, most people do not want...

>  	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
>  		return -EPERM;

And finally, why doesn't this original check handle what you want to do
already?

I don't understand your "threat model" you wish to address by this
change series, please be a lot more explicit in your patch changelog
descriptions.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

WARNING: multiple messages have this Message-ID (diff)

From: Greg KH <gregkh@linuxfoundation.org>
To: Matt Brown <matt@nmatt.com>
Cc: jmorris@namei.org, akpm@linux-foundation.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl
Date: Mon, 17 Apr 2017 08:53:45 +0200	[thread overview]
Message-ID: <20170417065345.GC21022@kroah.com> (raw)
In-Reply-To: <20170417060706.28674-4-matt@nmatt.com>

On Mon, Apr 17, 2017 at 02:07:05AM -0400, Matt Brown wrote:
> this patch depends on patch 1 and 2
> 
> enforces restrictions on unprivileged users injecting commands
> into other processes in the same tty session using the TIOCSTI ioctl
> 
> Signed-off-by: Matt Brown <matt@nmatt.com>
> ---
>  drivers/tty/tty_io.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
> index e6d1a65..31894e8 100644
> --- a/drivers/tty/tty_io.c
> +++ b/drivers/tty/tty_io.c
> @@ -2296,11 +2296,15 @@ static int tty_fasync(int fd, struct file *filp, int on)
>   *	FIXME: may race normal receive processing
>   */
>  
> +int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT);
> +
>  static int tiocsti(struct tty_struct *tty, char __user *p)
>  {
>  	char ch, mbz = 0;
>  	struct tty_ldisc *ld;
>  
> +	if (tiocsti_restrict && !capable(CAP_SYS_ADMIN))
> +		return -EPERM;

So, what type of "normal" userspace operations did you just break here?
What type of "not normal" did you break/change?

Why tie this to CAP_SYS_ADMIN as well?  That wasn't listed in your
Kconfig help text.  This seems like an additional capabilities
dependancy that odds are, most people do not want...

>  	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
>  		return -EPERM;

And finally, why doesn't this original check handle what you want to do
already?

I don't understand your "threat model" you wish to address by this
change series, please be a lot more explicit in your patch changelog
descriptions.

thanks,

greg k-h

next prev parent reply	other threads:[~2017-04-17  6:53 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-17  6:07 [kernel-hardening] Patchset to Restrict Unprivileged TIOCSTI TTY Command Injection Matt Brown
2017-04-17  6:07 ` Matt Brown
2017-04-17  6:07 ` Matt Brown
2017-04-17  6:07 ` [kernel-hardening] [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config Matt Brown
2017-04-17  6:07   ` Matt Brown
2017-04-17  6:07   ` Matt Brown
2017-04-17  6:50   ` [kernel-hardening] " Greg KH
2017-04-17  6:50     ` Greg KH
2017-04-17  6:50     ` Greg KH
2017-04-18  4:29     ` [kernel-hardening] " Matt Brown
2017-04-18  4:29       ` Matt Brown
2017-04-18  4:29       ` Matt Brown
2017-04-18 13:40     ` [kernel-hardening] " Alan Cox
2017-04-18 13:40       ` Alan Cox
2017-04-18 13:40       ` Alan Cox
2017-04-18 15:49       ` [kernel-hardening] " Kees Cook
2017-04-18 15:49         ` Kees Cook
2017-04-17  6:07 ` [kernel-hardening] [PATCH 2/4] add tiocsti_restrict variable Matt Brown
2017-04-17  6:07   ` Matt Brown
2017-04-17  6:07   ` Matt Brown
2017-04-17  6:51   ` [kernel-hardening] " Greg KH
2017-04-17  6:51     ` Greg KH
2017-04-17  6:51     ` Greg KH
2017-04-17  6:07 ` [kernel-hardening] [PATCH 3/4] restrict unprivileged TIOCSTI tty ioctl Matt Brown
2017-04-17  6:07   ` Matt Brown
2017-04-17  6:07   ` Matt Brown
2017-04-17  6:53   ` Greg KH [this message]
2017-04-17  6:53     ` Greg KH
2017-04-17  6:53     ` Greg KH
2017-04-17 14:18     ` [kernel-hardening] " Jann Horn
2017-04-17 14:18       ` Jann Horn
2017-04-17 16:18       ` Matt Brown
2017-04-17 16:18         ` Matt Brown
2017-04-17  6:07 ` [kernel-hardening] [PATCH 4/4] added kernel.tiocsti_restrict sysctl Matt Brown
2017-04-17  6:07   ` Matt Brown
2017-04-17  6:07   ` Matt Brown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170417065345.GC21022@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=jmorris@namei.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=matt@nmatt.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.