From: Greg KH <gregkh@linuxfoundation.org>
To: xandfury@gmail.com
Cc: Shuah Khan <shuah@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
llvm@lists.linux.dev, selinux@vger.kernel.org, kees@kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 2/2] selinux: add capability checks for TIOCSTI ioctl
Date: Mon, 23 Jun 2025 07:13:57 +0200 [thread overview]
Message-ID: <2025062327-shady-broadcast-237d@gregkh> (raw)
In-Reply-To: <20250622-toicsti-bug-v1-2-f374373b04b2@gmail.com>
On Sun, Jun 22, 2025 at 07:41:08PM -0600, Abhinav Saxena via B4 Relay wrote:
> From: Abhinav Saxena <xandfury@gmail.com>
>
> The TIOCSTI ioctl currently only checks the current process's
> credentials, creating a TOCTOU vulnerability where an unprivileged
> process can open a TTY fd and pass it to a privileged process via
> SCM_RIGHTS.
If a priviliged process has a fd, what is the problem with it using this
ioctl in the firstplace?
>
> Fix by requiring BOTH the file opener (file->f_cred) AND the current
> process to have CAP_SYS_ADMIN. This prevents privilege escalation
> while ensuring legitimate use cases continue to work.
>
> Link: https://github.com/KSPP/linux/issues/156
>
> Signed-off-by: Abhinav Saxena <xandfury@gmail.com>
> ---
> security/selinux/hooks.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 595ceb314aeb..a628551873ab 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3847,6 +3847,12 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
> CAP_OPT_NONE, true);
> break;
>
> + case TIOCSTI:
> + if (!file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN) ||
> + !capable(CAP_SYS_ADMIN))
> + error = -EPERM;
> + break;
Are you sure this type of policy should be in the selinux core code?
Wouldn't you need a "rule" for selinux to follow (or not follow) for
this type of thing and not just a blanket change to the logic?
Also, have you looked at what userspace tools actually use this ioctl to
see if this change would break anything?
thanks,
greg k-h
next prev parent reply other threads:[~2025-06-23 5:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-23 1:41 [PATCH 0/2] Possible TTY privilege escalation in TIOCSTI ioctl Abhinav Saxena
2025-06-23 1:41 ` Abhinav Saxena via B4 Relay
2025-06-23 1:41 ` [PATCH 1/2] selftests/tty: add TIOCSTI test suite Abhinav Saxena
2025-06-23 1:41 ` Abhinav Saxena via B4 Relay
2025-06-23 12:42 ` Stephen Smalley
2025-06-23 1:41 ` [PATCH 2/2] selinux: add capability checks for TIOCSTI ioctl Abhinav Saxena
2025-06-23 1:41 ` Abhinav Saxena via B4 Relay
2025-06-23 5:13 ` Greg KH [this message]
2025-06-23 12:38 ` Stephen Smalley
2025-06-23 15:15 ` Paul Moore
2025-06-24 20:58 ` Günther Noack
2025-06-23 12:35 ` [PATCH 0/2] Possible TTY privilege escalation in " Stephen Smalley
2025-06-28 0:38 ` Abhinav Saxena
2025-06-28 1:52 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025062327-shady-broadcast-237d@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=justinstitt@google.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=xandfury@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.