From: "Günther Noack" <gnoack3000@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jared Finder <jared@finder.org>
Cc: stable@vger.kernel.org, "Jann Horn" <jannh@google.com>,
"Hanno Böck" <hanno@hboeck.de>,
"Jiri Slaby" <jirislaby@kernel.org>,
"Kees Cook" <kees@kernel.org>
Subject: Re: [PATCH] tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT
Date: Fri, 7 Mar 2025 11:16:21 +0100 [thread overview]
Message-ID: <20250307.9339126c0c96@gnoack.org> (raw)
In-Reply-To: <20250223205449.7432-2-gnoack3000@gmail.com>
On Sun, Feb 23, 2025 at 09:54:50PM +0100, Günther Noack wrote:
> This requirement was overeagerly loosened in commit 2f83e38a095f
> ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as
> it turns out,
>
> (1) the logic I implemented there was inconsistent (apologies!),
>
> (2) TIOCL_SELMOUSEREPORT might actually be a small security risk
> after all, and
>
> (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse
> daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN
> already.
Greg and Jared: Friendly ping on this patch.
Could you please have a look if you can find the time?
To maybe explain in an overview again why this is safe:
The TIOCLINUX ioctl has various subcommands (uapi/linux/tiocl.h),
and one of these has in turn more subcommands. The structure is:
* TIOCLINUX, with "subcodes":
* TIOCL_SETSEL, with "selection modes":
* TIOCL_SELCHAR
* TIOCL_SELWORD
* TIOCL_SELLINE
* TIOCL_SELPOINTER
* TIOCL_SELCLEAR
* TIOCL_SELMOUSEREPORT
* TIOCL_PASTESEL
* TIOCL_SELLOADLUT
* ...
While securing TIOCLINUX, we restricted access to various subcommands
with CAP_SYS_ADMIN, but permitted different subcommands.
This table gives an overview of which TIOCL_SETSEL subcommands
required CAP_SYS_ADMIN at which point in time:
point in time
TIOCL_SETSEL sel_mode | 0 | 1 | 2 | 3
----------------------|---|---|---|---
TIOCL_SELCHAR | | x | x | x
TIOCL_SELWORD | | x | x | x
TIOCL_SELLINE | | x | x | x
TIOCL_SELPOINTER | | x | |
TIOCL_SELCLEAR | | x | |
TIOCL_SELMOUSEREPORT | | x | ? | x <-- This is the change
"x" means "requires CAP_SYS_ADMIN"
"?" means "inconsistently requires CAP_SYS_ADMIN"
The points in time are:
(0) before we required CAP_SYS_ADMIN on TIOCLINUX subcommands
(1) after commit 8d1b43f6a6df ("tty: Restrict access to TIOCLINUX' copy-and-paste subcommands")
(2) after commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN
")
(3) after this patch ("tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT")
This patch **reverts the behaviour for TIOCL_SELMOUSEREPORT back to
what it was in phase (1)** after commit 8d1b43f6a6df ("tty: Restrict
access to TIOCLINUX' copy-and-paste subcommands"). We have double
checked this in Emacs and GPM's source code earlier in this mail
thread [1] and have confidence that this is better, because:
(a) TIOCL_SELMOUSEREPORT can maybe be abused after all,
(b) it is not required for Emacs as we thought in patch (2)
(c) the behavior I implemented in patch (2) was accidentally
inconsistent
Again, apologies for the pointless back-and-forth on this fix, but it
will be better after this iteration. I hope that this summary helps
in the review. Please let me know if you have further questions.
Thanks,
–Günther
[1] https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/
next prev parent reply other threads:[~2025-03-07 10:16 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-29 19:33 GPM & Emacs broken in Linux 6.7 -- ok to relax check? Jared Finder
2024-11-29 19:50 ` Jann Horn
2024-12-03 13:53 ` Günther Noack
2024-12-03 14:07 ` Günther Noack
2024-12-14 5:13 ` Jared Finder
2024-12-14 7:47 ` Greg Kroah-Hartman
2024-12-16 15:07 ` [PATCH] tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN Günther Noack
2024-12-16 15:14 ` Greg Kroah-Hartman
2024-12-16 15:17 ` Greg Kroah-Hartman
2024-12-16 15:42 ` Günther Noack
2024-12-21 11:06 ` Günther Noack
2024-12-21 11:10 ` [PATCH v2] " Günther Noack
2024-12-22 8:37 ` Greg Kroah-Hartman
2025-01-10 14:21 ` Günther Noack
2025-01-10 16:50 ` Kees Cook
2025-02-08 15:18 ` Jared Finder
2025-02-08 15:28 ` Greg KH
2025-02-08 16:03 ` Jared Finder
2025-02-09 6:49 ` Greg KH
2025-02-21 0:10 ` Günther Noack
2025-02-22 21:07 ` Jared Finder
2025-02-23 20:54 ` [PATCH] tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT Günther Noack
2025-03-07 10:16 ` Günther Noack [this message]
2025-03-07 11:05 ` Greg Kroah-Hartman
2025-03-07 13:55 ` Günther Noack
2025-03-07 14:31 ` Greg Kroah-Hartman
2025-01-12 13:14 ` [PATCH v2] tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN Greg Kroah-Hartman
2024-12-17 9:09 ` [PATCH] " Günther Noack
2024-12-17 8:47 ` GPM & Emacs broken in Linux 6.7 -- ok to relax check? Hanno Böck
2024-12-17 8:49 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250307.9339126c0c96@gnoack.org \
--to=gnoack3000@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hanno@hboeck.de \
--cc=jannh@google.com \
--cc=jared@finder.org \
--cc=jirislaby@kernel.org \
--cc=kees@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.