diff mbox

[v7,2/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

Message ID 20170529213800.29438-3-matt@nmatt.com (mailing list archive)
State New, archived
Headers show

Commit Message

Matt Brown May 29, 2017, 9:38 p.m. UTC
This introduces the tiocsti_restrict sysctl, whose default is controlled
via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.

This patch depends on patch 1/2

This patch was inspired from GRKERNSEC_HARDEN_TTY.

This patch would have prevented
https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
conditions:
* non-privileged container
* container run inside new user namespace

Possible effects on userland:

There could be a few user programs that would be effected by this
change.
See: <https://codesearch.debian.net/search?q=ioctl%5C%28.*TIOCSTI>
notable programs are: agetty, csh, xemacs and tcsh

However, I still believe that this change is worth it given that the
Kconfig defaults to n. This will be a feature that is turned on for the
same reason that people activate it when using grsecurity. Users of this
opt-in feature will realize that they are choosing security over some OS
features like unprivileged TIOCSTI ioctls, as should be clear in the
Kconfig help message.

Threat Model/Patch Rational:

From grsecurity's config for GRKERNSEC_HARDEN_TTY.

 | There are very few legitimate uses for this functionality and it
 | has made vulnerabilities in several 'su'-like programs possible in
 | the past.  Even without these vulnerabilities, it provides an
 | attacker with an easy mechanism to move laterally among other
 | processes within the same user's compromised session.

So if one process within a tty session becomes compromised it can follow
that additional processes, that are thought to be in different security
boundaries, can be compromised as a result. When using a program like su
or sudo, these additional processes could be in a tty session where TTY
file descriptors are indeed shared over privilege boundaries.

This is also an excellent writeup about the issue:
<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/>

When user namespaces are in use, the check for the capability
CAP_SYS_ADMIN is done against the user namespace that originally opened
the tty.

Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Matt Brown <matt@nmatt.com>
---
 Documentation/sysctl/kernel.txt | 21 +++++++++++++++++++++
 drivers/tty/tty_io.c            |  8 ++++++++
 include/linux/tty.h             |  2 ++
 kernel/sysctl.c                 | 12 ++++++++++++
 security/Kconfig                | 13 +++++++++++++
 5 files changed, 56 insertions(+)

Comments

Alan Cox May 29, 2017, 10:26 p.m. UTC | #1
On Mon, 29 May 2017 17:38:00 -0400
Matt Brown <matt@nmatt.com> wrote:

> This introduces the tiocsti_restrict sysctl, whose default is controlled
> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.

Which is really quite pointless as I keep pointing out and you keep
reposting this nonsense.

> 
> This patch depends on patch 1/2
> 
> This patch was inspired from GRKERNSEC_HARDEN_TTY.
> 
> This patch would have prevented
> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
> conditions:
> * non-privileged container
> * container run inside new user namespace

And assuming no other ioctl could be used in an attack. Only there are
rather a lot of ways an app with access to a tty can cause mischief if
it's the same controlling tty as the higher privileged context that
launched it.

Properly written code allocates a new pty/tty pair for the lower
privileged session. If the code doesn't do that then your change merely
modifies the degree of mayhem it can cause. If it does it right then your
patch is pointless.

> Possible effects on userland:
> 
> There could be a few user programs that would be effected by this
> change.

In other words, it's yet another weird config option that breaks stuff.


NAK v7.

Alan
Boris Lukashev May 29, 2017, 11:51 p.m. UTC | #2
With all due respect sir, i believe your review falls short of the
purpose of this effort - to harden the kernel against flaws in
userspace. Comments along the line of "if <userspace> does it right
then your patch is pointless" are not relevant to the context of
securing kernel functions/interfaces. What userspace should do has
little bearing on defensive measures actually implemented in the
kernel - if we took the approach of "someone else is responsible for
that" in military operations, the world would be a much darker and
different place today. Those who have the luxury of standoff from the
critical impacts of security vulnerabilities may not take into account
the fact that peoples lives literally depend on Linux getting a lot
more secure, and quickly.
If this work were not valuable, it wouldnt be an enabled kernel option
on a massive number of kernels with attack surfaces reduced by the
compound protections offered by the grsec patch set. I can't speak for
the grsec people, but having read a small fraction of the commentary
around the subject of mainline integration, it seems to me that NAKs
like this are exactly why they had no interest in even trying - this
review is based on the cultural views of the kernel community, not on
the security benefits offered by the work in the current state of
affairs (where userspace is broken). The purpose of each of these
protections (being ported over from grsec) is not to offer carte
blanche defense against all attackers and vectors, but to prevent
specific classes of bugs from reducing the security posture of the
system. By implementing these defenses in a layered manner we can
significantly reduce our kernel attack surface. Once userspace catches
up and does things the right way, and has no capacity for doing them
the wrong way (aka, nothing attackers can use to bypass the proper
userspace behavior), then the functionality really does become
pointless, and can then be removed.
From a practical perspective, can alternative solutions be offered
along with NAKs? Killing things on the vine isnt great, and if a
security measure is being denied, upstream should provide their
solution to how they want to address the problem (or just an outline
to guide the hardened folks).

On Mon, May 29, 2017 at 6:26 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
> On Mon, 29 May 2017 17:38:00 -0400
> Matt Brown <matt@nmatt.com> wrote:
>
>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>
> Which is really quite pointless as I keep pointing out and you keep
> reposting this nonsense.
>
>>
>> This patch depends on patch 1/2
>>
>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>
>> This patch would have prevented
>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>> conditions:
>> * non-privileged container
>> * container run inside new user namespace
>
> And assuming no other ioctl could be used in an attack. Only there are
> rather a lot of ways an app with access to a tty can cause mischief if
> it's the same controlling tty as the higher privileged context that
> launched it.
>
> Properly written code allocates a new pty/tty pair for the lower
> privileged session. If the code doesn't do that then your change merely
> modifies the degree of mayhem it can cause. If it does it right then your
> patch is pointless.
>
>> Possible effects on userland:
>>
>> There could be a few user programs that would be effected by this
>> change.
>
> In other words, it's yet another weird config option that breaks stuff.
>
>
> NAK v7.
>
> Alan
Matt Brown May 30, 2017, 12:15 a.m. UTC | #3
On 5/29/17 6:26 PM, Alan Cox wrote:
> On Mon, 29 May 2017 17:38:00 -0400
> Matt Brown <matt@nmatt.com> wrote:
> 
>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
> 
> Which is really quite pointless as I keep pointing out and you keep
> reposting this nonsense.
> 
>>
>> This patch depends on patch 1/2
>>
>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>
>> This patch would have prevented
>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>> conditions:
>> * non-privileged container
>> * container run inside new user namespace
> 
> And assuming no other ioctl could be used in an attack. Only there are
> rather a lot of ways an app with access to a tty can cause mischief if
> it's the same controlling tty as the higher privileged context that
> launched it.

Can you give me an example of another ioctl that you can abuse to practically
gain code execution in the privileged context? Saying that the child process
could "cause mischief" is a bit vague.

> 
> Properly written code allocates a new pty/tty pair for the lower
> privileged session. If the code doesn't do that then your change merely
> modifies the degree of mayhem it can cause. If it does it right then your
> patch is pointless.
> 
>> Possible effects on userland:
>>
>> There could be a few user programs that would be effected by this
>> change.
> 
> In other words, it's yet another weird config option that breaks stuff.
> 

It doesn't break anything because it is default n. People that enable this
option will understand they are disabling the tiocsti ioctl for non privileged
processes.

> 
> NAK v7.

Rather than a NAK, could you explain how you would solve this problem in a way
that we can protect userspace from shooting itself in the foot.

See CVE lookup: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti

Matt
Casey Schaufler May 30, 2017, 12:27 a.m. UTC | #4
On 5/29/2017 4:51 PM, Boris Lukashev wrote:
> With all due respect sir, i believe your review falls short of the
> purpose of this effort - to harden the kernel against flaws in
> userspace. Comments along the line of "if <userspace> does it right
> then your patch is pointless" are not relevant to the context of
> securing kernel functions/interfaces. What userspace should do has
> little bearing on defensive measures actually implemented in the
> kernel - if we took the approach of "someone else is responsible for
> that" in military operations, the world would be a much darker and
> different place today. Those who have the luxury of standoff from the
> critical impacts of security vulnerabilities may not take into account
> the fact that peoples lives literally depend on Linux getting a lot
> more secure, and quickly.

You are not going to help anyone with a kernel configuration that
breaks agetty, csh, xemacs and tcsh. The opportunities for using
such a configuration are limited.

> If this work were not valuable, it wouldnt be an enabled kernel option
> on a massive number of kernels with attack surfaces reduced by the
> compound protections offered by the grsec patch set.

I'll bet you a beverage that 99-44/100% of the people who have
this enabled have no clue that it's even there. And if they did,
most of them would turn it off.

> I can't speak for
> the grsec people, but having read a small fraction of the commentary
> around the subject of mainline integration, it seems to me that NAKs
> like this are exactly why they had no interest in even trying - this
> review is based on the cultural views of the kernel community, not on
> the security benefits offered by the work in the current state of
> affairs (where userspace is broken).

A security clamp-down that breaks important stuff is going
to have a tough row to hoe going upstream. Same with a performance
enhancement that breaks things.

> The purpose of each of these
> protections (being ported over from grsec) is not to offer carte
> blanche defense against all attackers and vectors, but to prevent
> specific classes of bugs from reducing the security posture of the
> system. By implementing these defenses in a layered manner we can
> significantly reduce our kernel attack surface.

Sure, but they have to work right. That's an important reason to do
small changes. A change that isn't acceptable can be rejected without
slowing the general progress.

> Once userspace catches
> up and does things the right way, and has no capacity for doing them
> the wrong way (aka, nothing attackers can use to bypass the proper
> userspace behavior), then the functionality really does become
> pointless, and can then be removed.

Well, until someone comes along with yet another spiffy feature
like containers and breaks it again. This is why a really good
solution is required, and the one proposed isn't up to snuff.

> >From a practical perspective, can alternative solutions be offered
> along with NAKs?

They often are, but let's face it, not everyone has the time,
desire and/or expertise to solve every problem that comes up.

> Killing things on the vine isnt great, and if a
> security measure is being denied, upstream should provide their
> solution to how they want to address the problem (or just an outline
> to guide the hardened folks).

The impact of a "security measure" can exceed the value provided.
That is, I understand, the basis of the NAK. We need to be careful
to keep in mind that, until such time as there is substantial interest
in the sort of systemic changes that truly remove this class of issue,
we're going to have to justify the risk/reward trade off when we try
to introduce a change.

>
> On Mon, May 29, 2017 at 6:26 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>> On Mon, 29 May 2017 17:38:00 -0400
>> Matt Brown <matt@nmatt.com> wrote:
>>
>>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>> Which is really quite pointless as I keep pointing out and you keep
>> reposting this nonsense.
>>
>>> This patch depends on patch 1/2
>>>
>>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>>
>>> This patch would have prevented
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>>> conditions:
>>> * non-privileged container
>>> * container run inside new user namespace
>> And assuming no other ioctl could be used in an attack. Only there are
>> rather a lot of ways an app with access to a tty can cause mischief if
>> it's the same controlling tty as the higher privileged context that
>> launched it.
>>
>> Properly written code allocates a new pty/tty pair for the lower
>> privileged session. If the code doesn't do that then your change merely
>> modifies the degree of mayhem it can cause. If it does it right then your
>> patch is pointless.
>>
>>> Possible effects on userland:
>>>
>>> There could be a few user programs that would be effected by this
>>> change.
>> In other words, it's yet another weird config option that breaks stuff.
>>
>>
>> NAK v7.
>>
>> Alan
>
>
Matt Brown May 30, 2017, 2 a.m. UTC | #5
Casey Schaufler,

First I must start this off by saying I really appreciate your presentation on
LSMs that is up on youtube. I've got a LSM in the works and your talk has
helped me a bunch.

On 5/29/17 8:27 PM, Casey Schaufler wrote:
> On 5/29/2017 4:51 PM, Boris Lukashev wrote:
>> With all due respect sir, i believe your review falls short of the
>> purpose of this effort - to harden the kernel against flaws in
>> userspace. Comments along the line of "if <userspace> does it right
>> then your patch is pointless" are not relevant to the context of
>> securing kernel functions/interfaces. What userspace should do has
>> little bearing on defensive measures actually implemented in the
>> kernel - if we took the approach of "someone else is responsible for
>> that" in military operations, the world would be a much darker and
>> different place today. Those who have the luxury of standoff from the
>> critical impacts of security vulnerabilities may not take into account
>> the fact that peoples lives literally depend on Linux getting a lot
>> more secure, and quickly.
> 
> You are not going to help anyone with a kernel configuration that
> breaks agetty, csh, xemacs and tcsh. The opportunities for using
> such a configuration are limited.

This patch does not break these programs as you imply. 99% of users of these
programs will not be effected. Its not like the TIOCSTI ioctl is a critical
part of these programs.

Also as I've stated elsewhere, this is not breaking userspace because this
Kconfig/sysctl defaults to n. If someone is using the programs listed above in
a way that does utilize an unprivileged call to the TIOCSTI ioctl, they can
turn this feature off.

> 
>> If this work were not valuable, it wouldnt be an enabled kernel option
>> on a massive number of kernels with attack surfaces reduced by the
>> compound protections offered by the grsec patch set.
> 
> I'll bet you a beverage that 99-44/100% of the people who have
> this enabled have no clue that it's even there. And if they did,
> most of them would turn it off.
> 

First, I don't know how to parse "99-44/100%" and therefore do not wish to
wager a beverage on such confusing odds ;)

Second, as stated above, this feature is off by default. However, I would expect
this sysctl to show up in lists of procedures for hardening linux servers.

>> I can't speak for
>> the grsec people, but having read a small fraction of the commentary
>> around the subject of mainline integration, it seems to me that NAKs
>> like this are exactly why they had no interest in even trying - this
>> review is based on the cultural views of the kernel community, not on
>> the security benefits offered by the work in the current state of
>> affairs (where userspace is broken).
> 
> A security clamp-down that breaks important stuff is going
> to have a tough row to hoe going upstream. Same with a performance
> enhancement that breaks things.
> 
>> The purpose of each of these
>> protections (being ported over from grsec) is not to offer carte
>> blanche defense against all attackers and vectors, but to prevent
>> specific classes of bugs from reducing the security posture of the
>> system. By implementing these defenses in a layered manner we can
>> significantly reduce our kernel attack surface.
> 
> Sure, but they have to work right. That's an important reason to do
> small changes. A change that isn't acceptable can be rejected without
> slowing the general progress.
> 
>> Once userspace catches
>> up and does things the right way, and has no capacity for doing them
>> the wrong way (aka, nothing attackers can use to bypass the proper
>> userspace behavior), then the functionality really does become
>> pointless, and can then be removed.
> 
> Well, until someone comes along with yet another spiffy feature
> like containers and breaks it again. This is why a really good
> solution is required, and the one proposed isn't up to snuff.
> 

Can you please state your reasons for why you believe this solution is not "up
to snuff?" So far myself and others have given what I believe to be sound
responses to any objections to this patch.

>> >From a practical perspective, can alternative solutions be offered
>> along with NAKs?
> 
> They often are, but let's face it, not everyone has the time,
> desire and/or expertise to solve every problem that comes up.
> 
>> Killing things on the vine isnt great, and if a
>> security measure is being denied, upstream should provide their
>> solution to how they want to address the problem (or just an outline
>> to guide the hardened folks).
> 
> The impact of a "security measure" can exceed the value provided.
> That is, I understand, the basis of the NAK. We need to be careful
> to keep in mind that, until such time as there is substantial interest
> in the sort of systemic changes that truly remove this class of issue,
> we're going to have to justify the risk/reward trade off when we try
> to introduce a change.
> 
>>
>> On Mon, May 29, 2017 at 6:26 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>>> On Mon, 29 May 2017 17:38:00 -0400
>>> Matt Brown <matt@nmatt.com> wrote:
>>>
>>>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>>>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>>>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>>> Which is really quite pointless as I keep pointing out and you keep
>>> reposting this nonsense.
>>>
>>>> This patch depends on patch 1/2
>>>>
>>>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>>>
>>>> This patch would have prevented
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>>>> conditions:
>>>> * non-privileged container
>>>> * container run inside new user namespace
>>> And assuming no other ioctl could be used in an attack. Only there are
>>> rather a lot of ways an app with access to a tty can cause mischief if
>>> it's the same controlling tty as the higher privileged context that
>>> launched it.
>>>
>>> Properly written code allocates a new pty/tty pair for the lower
>>> privileged session. If the code doesn't do that then your change merely
>>> modifies the degree of mayhem it can cause. If it does it right then your
>>> patch is pointless.
>>>
>>>> Possible effects on userland:
>>>>
>>>> There could be a few user programs that would be effected by this
>>>> change.
>>> In other words, it's yet another weird config option that breaks stuff.
>>>
>>>
>>> NAK v7.
>>>
>>> Alan
>>
>>
> 

Thanks,
Matt Brown
Casey Schaufler May 30, 2017, 2:46 a.m. UTC | #6
On 5/29/2017 7:00 PM, Matt Brown wrote:
> Casey Schaufler,
>
> First I must start this off by saying I really appreciate your presentation on
> LSMs that is up on youtube. I've got a LSM in the works and your talk has
> helped me a bunch.

Thank you. Feedback (especially positive) is always appreciated.

>
> On 5/29/17 8:27 PM, Casey Schaufler wrote:
>> On 5/29/2017 4:51 PM, Boris Lukashev wrote:
>>> With all due respect sir, i believe your review falls short of the
>>> purpose of this effort - to harden the kernel against flaws in
>>> userspace. Comments along the line of "if <userspace> does it right
>>> then your patch is pointless" are not relevant to the context of
>>> securing kernel functions/interfaces. What userspace should do has
>>> little bearing on defensive measures actually implemented in the
>>> kernel - if we took the approach of "someone else is responsible for
>>> that" in military operations, the world would be a much darker and
>>> different place today. Those who have the luxury of standoff from the
>>> critical impacts of security vulnerabilities may not take into account
>>> the fact that peoples lives literally depend on Linux getting a lot
>>> more secure, and quickly.
>> You are not going to help anyone with a kernel configuration that
>> breaks agetty, csh, xemacs and tcsh. The opportunities for using
>> such a configuration are limited.
> This patch does not break these programs as you imply. 99% of users of these
> programs will not be effected. Its not like the TIOCSTI ioctl is a critical
> part of these programs.

Most likely not.

>
> Also as I've stated elsewhere, this is not breaking userspace because this
> Kconfig/sysctl defaults to n. If someone is using the programs listed above in
> a way that does utilize an unprivileged call to the TIOCSTI ioctl, they can
> turn this feature off.

Default "off" does not mean it doesn't break userspace. It means that it might
not break userspace in your environment. Or it might, depending on the whim of
the build tool of the day.

>
>>> If this work were not valuable, it wouldnt be an enabled kernel option
>>> on a massive number of kernels with attack surfaces reduced by the
>>> compound protections offered by the grsec patch set.
>> I'll bet you a beverage that 99-44/100% of the people who have
>> this enabled have no clue that it's even there. And if they did,
>> most of them would turn it off.
>>
> First, I don't know how to parse "99-44/100%" and therefore do not wish to
> wager a beverage on such confusing odds ;)

99.44%. And I loose a *lot* of beverage bets.

> Second, as stated above, this feature is off by default. However, I would expect
> this sysctl to show up in lists of procedures for hardening linux servers.

It's esoteric enough that I expect that if anyone got bitten by it
word would get out and no one would use it thereafter.

>
>>> I can't speak for
>>> the grsec people, but having read a small fraction of the commentary
>>> around the subject of mainline integration, it seems to me that NAKs
>>> like this are exactly why they had no interest in even trying - this
>>> review is based on the cultural views of the kernel community, not on
>>> the security benefits offered by the work in the current state of
>>> affairs (where userspace is broken).
>> A security clamp-down that breaks important stuff is going
>> to have a tough row to hoe going upstream. Same with a performance
>> enhancement that breaks things.
>>
>>> The purpose of each of these
>>> protections (being ported over from grsec) is not to offer carte
>>> blanche defense against all attackers and vectors, but to prevent
>>> specific classes of bugs from reducing the security posture of the
>>> system. By implementing these defenses in a layered manner we can
>>> significantly reduce our kernel attack surface.
>> Sure, but they have to work right. That's an important reason to do
>> small changes. A change that isn't acceptable can be rejected without
>> slowing the general progress.
>>
>>> Once userspace catches
>>> up and does things the right way, and has no capacity for doing them
>>> the wrong way (aka, nothing attackers can use to bypass the proper
>>> userspace behavior), then the functionality really does become
>>> pointless, and can then be removed.
>> Well, until someone comes along with yet another spiffy feature
>> like containers and breaks it again. This is why a really good
>> solution is required, and the one proposed isn't up to snuff.
>>
> Can you please state your reasons for why you believe this solution is not "up
> to snuff?" So far myself and others have given what I believe to be sound
> responses to any objections to this patch.

If you can't convince Alan, who know ways more about ttys than anyone
ought to, it's not up to snuff.

>
>>> >From a practical perspective, can alternative solutions be offered
>>> along with NAKs?
>> They often are, but let's face it, not everyone has the time,
>> desire and/or expertise to solve every problem that comes up.
>>
>>> Killing things on the vine isnt great, and if a
>>> security measure is being denied, upstream should provide their
>>> solution to how they want to address the problem (or just an outline
>>> to guide the hardened folks).
>> The impact of a "security measure" can exceed the value provided.
>> That is, I understand, the basis of the NAK. We need to be careful
>> to keep in mind that, until such time as there is substantial interest
>> in the sort of systemic changes that truly remove this class of issue,
>> we're going to have to justify the risk/reward trade off when we try
>> to introduce a change.
>>
>>> On Mon, May 29, 2017 at 6:26 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>>>> On Mon, 29 May 2017 17:38:00 -0400
>>>> Matt Brown <matt@nmatt.com> wrote:
>>>>
>>>>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>>>>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>>>>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>>>> Which is really quite pointless as I keep pointing out and you keep
>>>> reposting this nonsense.
>>>>
>>>>> This patch depends on patch 1/2
>>>>>
>>>>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>>>>
>>>>> This patch would have prevented
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>>>>> conditions:
>>>>> * non-privileged container
>>>>> * container run inside new user namespace
>>>> And assuming no other ioctl could be used in an attack. Only there are
>>>> rather a lot of ways an app with access to a tty can cause mischief if
>>>> it's the same controlling tty as the higher privileged context that
>>>> launched it.
>>>>
>>>> Properly written code allocates a new pty/tty pair for the lower
>>>> privileged session. If the code doesn't do that then your change merely
>>>> modifies the degree of mayhem it can cause. If it does it right then your
>>>> patch is pointless.
>>>>
>>>>> Possible effects on userland:
>>>>>
>>>>> There could be a few user programs that would be effected by this
>>>>> change.
>>>> In other words, it's yet another weird config option that breaks stuff.
>>>>
>>>>
>>>> NAK v7.
>>>>
>>>> Alan
>>>
> Thanks,
> Matt Brown
>
Matt Brown May 30, 2017, 3:18 a.m. UTC | #7
On 5/29/17 10:46 PM, Casey Schaufler wrote:
> On 5/29/2017 7:00 PM, Matt Brown wrote:
>> Casey Schaufler,
>>
>> First I must start this off by saying I really appreciate your presentation on
>> LSMs that is up on youtube. I've got a LSM in the works and your talk has
>> helped me a bunch.
> 
> Thank you. Feedback (especially positive) is always appreciated.
> 
>>
>> On 5/29/17 8:27 PM, Casey Schaufler wrote:
>>> On 5/29/2017 4:51 PM, Boris Lukashev wrote:
>>>> With all due respect sir, i believe your review falls short of the
>>>> purpose of this effort - to harden the kernel against flaws in
>>>> userspace. Comments along the line of "if <userspace> does it right
>>>> then your patch is pointless" are not relevant to the context of
>>>> securing kernel functions/interfaces. What userspace should do has
>>>> little bearing on defensive measures actually implemented in the
>>>> kernel - if we took the approach of "someone else is responsible for
>>>> that" in military operations, the world would be a much darker and
>>>> different place today. Those who have the luxury of standoff from the
>>>> critical impacts of security vulnerabilities may not take into account
>>>> the fact that peoples lives literally depend on Linux getting a lot
>>>> more secure, and quickly.
>>> You are not going to help anyone with a kernel configuration that
>>> breaks agetty, csh, xemacs and tcsh. The opportunities for using
>>> such a configuration are limited.
>> This patch does not break these programs as you imply. 99% of users of these
>> programs will not be effected. Its not like the TIOCSTI ioctl is a critical
>> part of these programs.
> 
> Most likely not.
> 
>>
>> Also as I've stated elsewhere, this is not breaking userspace because this
>> Kconfig/sysctl defaults to n. If someone is using the programs listed above in
>> a way that does utilize an unprivileged call to the TIOCSTI ioctl, they can
>> turn this feature off.
> 
> Default "off" does not mean it doesn't break userspace. It means that it might
> not break userspace in your environment. Or it might, depending on the whim of
> the build tool of the day.
> 

By this logic, it seems like any introduced feature which toggles some security
feature could be seen as "breaking userspace." For example:

1. Let there exist a LSM X that is set to "off" by default.
	(let's say its a simpler type of MAC ;)
2. There exists an inexperienced user Bob that toggles X to "on".
3. Bob complains that X has broken userspace because he now cannot access his
SSH key from firefox.

build tool's will always have important impacts on a system based on the config
that is used.

My understanding of the "don't break userspace" rule has always been to not
change existing, userspace facing, APIs/ioctls/system calls/etc. I don't
believe that my patch does this.

>>
>>>> If this work were not valuable, it wouldnt be an enabled kernel option
>>>> on a massive number of kernels with attack surfaces reduced by the
>>>> compound protections offered by the grsec patch set.
>>> I'll bet you a beverage that 99-44/100% of the people who have
>>> this enabled have no clue that it's even there. And if they did,
>>> most of them would turn it off.
>>>
>> First, I don't know how to parse "99-44/100%" and therefore do not wish to
>> wager a beverage on such confusing odds ;)
> 
> 99.44%. And I loose a *lot* of beverage bets.
> 
>> Second, as stated above, this feature is off by default. However, I would expect
>> this sysctl to show up in lists of procedures for hardening linux servers.
> 
> It's esoteric enough that I expect that if anyone got bitten by it
> word would get out and no one would use it thereafter.
> 

As we know in the security world, esoteric things can have major a impact. I
have not looked thought all of these, but I imagine most of them could have
been prevented by this patch.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti

>>
>>>> I can't speak for
>>>> the grsec people, but having read a small fraction of the commentary
>>>> around the subject of mainline integration, it seems to me that NAKs
>>>> like this are exactly why they had no interest in even trying - this
>>>> review is based on the cultural views of the kernel community, not on
>>>> the security benefits offered by the work in the current state of
>>>> affairs (where userspace is broken).
>>> A security clamp-down that breaks important stuff is going
>>> to have a tough row to hoe going upstream. Same with a performance
>>> enhancement that breaks things.
>>>
>>>> The purpose of each of these
>>>> protections (being ported over from grsec) is not to offer carte
>>>> blanche defense against all attackers and vectors, but to prevent
>>>> specific classes of bugs from reducing the security posture of the
>>>> system. By implementing these defenses in a layered manner we can
>>>> significantly reduce our kernel attack surface.
>>> Sure, but they have to work right. That's an important reason to do
>>> small changes. A change that isn't acceptable can be rejected without
>>> slowing the general progress.
>>>
>>>> Once userspace catches
>>>> up and does things the right way, and has no capacity for doing them
>>>> the wrong way (aka, nothing attackers can use to bypass the proper
>>>> userspace behavior), then the functionality really does become
>>>> pointless, and can then be removed.
>>> Well, until someone comes along with yet another spiffy feature
>>> like containers and breaks it again. This is why a really good
>>> solution is required, and the one proposed isn't up to snuff.
>>>
>> Can you please state your reasons for why you believe this solution is not "up
>> to snuff?" So far myself and others have given what I believe to be sound
>> responses to any objections to this patch.
> 
> If you can't convince Alan, who know ways more about ttys than anyone
> ought to, it's not up to snuff.
> 
>>
>>>> >From a practical perspective, can alternative solutions be offered
>>>> along with NAKs?
>>> They often are, but let's face it, not everyone has the time,
>>> desire and/or expertise to solve every problem that comes up.
>>>
>>>> Killing things on the vine isnt great, and if a
>>>> security measure is being denied, upstream should provide their
>>>> solution to how they want to address the problem (or just an outline
>>>> to guide the hardened folks).
>>> The impact of a "security measure" can exceed the value provided.
>>> That is, I understand, the basis of the NAK. We need to be careful
>>> to keep in mind that, until such time as there is substantial interest
>>> in the sort of systemic changes that truly remove this class of issue,
>>> we're going to have to justify the risk/reward trade off when we try
>>> to introduce a change.
>>>
>>>> On Mon, May 29, 2017 at 6:26 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>>>>> On Mon, 29 May 2017 17:38:00 -0400
>>>>> Matt Brown <matt@nmatt.com> wrote:
>>>>>
>>>>>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>>>>>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>>>>>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>>>>> Which is really quite pointless as I keep pointing out and you keep
>>>>> reposting this nonsense.
>>>>>
>>>>>> This patch depends on patch 1/2
>>>>>>
>>>>>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>>>>>
>>>>>> This patch would have prevented
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>>>>>> conditions:
>>>>>> * non-privileged container
>>>>>> * container run inside new user namespace
>>>>> And assuming no other ioctl could be used in an attack. Only there are
>>>>> rather a lot of ways an app with access to a tty can cause mischief if
>>>>> it's the same controlling tty as the higher privileged context that
>>>>> launched it.
>>>>>
>>>>> Properly written code allocates a new pty/tty pair for the lower
>>>>> privileged session. If the code doesn't do that then your change merely
>>>>> modifies the degree of mayhem it can cause. If it does it right then your
>>>>> patch is pointless.
>>>>>
>>>>>> Possible effects on userland:
>>>>>>
>>>>>> There could be a few user programs that would be effected by this
>>>>>> change.
>>>>> In other words, it's yet another weird config option that breaks stuff.
>>>>>
>>>>>
>>>>> NAK v7.
>>>>>
>>>>> Alan
>>>>
>> Thanks,
>> Matt Brown
>>
>
Alan Cox May 30, 2017, 12:24 p.m. UTC | #8
Look there are two problems here

1. TIOCSTI has users

2. You don't actually fix anything

The underlying problem is that if you give your tty handle to another
process which you don't trust you are screwed. It's fundamental to the
design of the Unix tty model and it's made worse in Linux by the fact
that we use the tty descriptor to access all sorts of other console state
(which makes a ton of sense).

Many years ago a few people got this wrong. All those apps got fixes back
then. They allocate a tty/pty pair and create a new session over that.
The potentially hostile other app only gets to screw itself.

If it was only about TIOCSTI then your patch would still not make sense
because you could use on of the existing LSMs to actually write yourself
some rules about who can and can't use TIOCSTI. For that matter you can
even use the seccomp feature today to do this without touching your
kernel because the ioctl number is a value so you can just block ioctl
with argument 2 of TIOCSTI.

So please explain why we need an obscure kernel config option that normal
users will not understand which protects against nothing and can be
done already ?

Alan
Casey Schaufler May 30, 2017, 3:20 p.m. UTC | #9
On 5/29/2017 8:18 PM, Matt Brown wrote:
> On 5/29/17 10:46 PM, Casey Schaufler wrote:
>> On 5/29/2017 7:00 PM, Matt Brown wrote:
>>> Casey Schaufler,
>>>
>>> First I must start this off by saying I really appreciate your presentation on
>>> LSMs that is up on youtube. I've got a LSM in the works and your talk has
>>> helped me a bunch.
>> Thank you. Feedback (especially positive) is always appreciated.
>>
>>> On 5/29/17 8:27 PM, Casey Schaufler wrote:
>>>> On 5/29/2017 4:51 PM, Boris Lukashev wrote:
>>>>> With all due respect sir, i believe your review falls short of the
>>>>> purpose of this effort - to harden the kernel against flaws in
>>>>> userspace. Comments along the line of "if <userspace> does it right
>>>>> then your patch is pointless" are not relevant to the context of
>>>>> securing kernel functions/interfaces. What userspace should do has
>>>>> little bearing on defensive measures actually implemented in the
>>>>> kernel - if we took the approach of "someone else is responsible for
>>>>> that" in military operations, the world would be a much darker and
>>>>> different place today. Those who have the luxury of standoff from the
>>>>> critical impacts of security vulnerabilities may not take into account
>>>>> the fact that peoples lives literally depend on Linux getting a lot
>>>>> more secure, and quickly.
>>>> You are not going to help anyone with a kernel configuration that
>>>> breaks agetty, csh, xemacs and tcsh. The opportunities for using
>>>> such a configuration are limited.
>>> This patch does not break these programs as you imply. 99% of users of these
>>> programs will not be effected. Its not like the TIOCSTI ioctl is a critical
>>> part of these programs.
>> Most likely not.
>>
>>> Also as I've stated elsewhere, this is not breaking userspace because this
>>> Kconfig/sysctl defaults to n. If someone is using the programs listed above in
>>> a way that does utilize an unprivileged call to the TIOCSTI ioctl, they can
>>> turn this feature off.
>> Default "off" does not mean it doesn't break userspace. It means that it might
>> not break userspace in your environment. Or it might, depending on the whim of
>> the build tool of the day.
>>
> By this logic, it seems like any introduced feature which toggles some security
> feature could be seen as "breaking userspace." For example:
>
> 1. Let there exist a LSM X that is set to "off" by default.
> 	(let's say its a simpler type of MAC ;)

You picked a bad example ...

> 2. There exists an inexperienced user Bob that toggles X to "on".

... which is easy enough, however ...

> 3. Bob complains that X has broken userspace because he now cannot access his
> SSH key from firefox.

... that's not going to happen. Because the LSM you're referring to requires
additional configuration to "break" userspace. That, by the way, was a conscious
design choice. Now, I realize that's not the case for some other security modules,
but they have things like "permissive mode" to make it easy on accident prone Bob.

The analogy, while obvious, is invalid.

> build tool's will always have important impacts on a system based on the config
> that is used.
>
> My understanding of the "don't break userspace" rule has always been to not
> change existing, userspace facing, APIs/ioctls/system calls/etc. I don't
> believe that my patch does this.
>
>>>>> If this work were not valuable, it wouldnt be an enabled kernel option
>>>>> on a massive number of kernels with attack surfaces reduced by the
>>>>> compound protections offered by the grsec patch set.
>>>> I'll bet you a beverage that 99-44/100% of the people who have
>>>> this enabled have no clue that it's even there. And if they did,
>>>> most of them would turn it off.
>>>>
>>> First, I don't know how to parse "99-44/100%" and therefore do not wish to
>>> wager a beverage on such confusing odds ;)
>> 99.44%. And I loose a *lot* of beverage bets.
>>
>>> Second, as stated above, this feature is off by default. However, I would expect
>>> this sysctl to show up in lists of procedures for hardening linux servers.
>> It's esoteric enough that I expect that if anyone got bitten by it
>> word would get out and no one would use it thereafter.
>>
> As we know in the security world, esoteric things can have major a impact. I
> have not looked thought all of these, but I imagine most of them could have
> been prevented by this patch.
>
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti
>
>>>>> I can't speak for
>>>>> the grsec people, but having read a small fraction of the commentary
>>>>> around the subject of mainline integration, it seems to me that NAKs
>>>>> like this are exactly why they had no interest in even trying - this
>>>>> review is based on the cultural views of the kernel community, not on
>>>>> the security benefits offered by the work in the current state of
>>>>> affairs (where userspace is broken).
>>>> A security clamp-down that breaks important stuff is going
>>>> to have a tough row to hoe going upstream. Same with a performance
>>>> enhancement that breaks things.
>>>>
>>>>> The purpose of each of these
>>>>> protections (being ported over from grsec) is not to offer carte
>>>>> blanche defense against all attackers and vectors, but to prevent
>>>>> specific classes of bugs from reducing the security posture of the
>>>>> system. By implementing these defenses in a layered manner we can
>>>>> significantly reduce our kernel attack surface.
>>>> Sure, but they have to work right. That's an important reason to do
>>>> small changes. A change that isn't acceptable can be rejected without
>>>> slowing the general progress.
>>>>
>>>>> Once userspace catches
>>>>> up and does things the right way, and has no capacity for doing them
>>>>> the wrong way (aka, nothing attackers can use to bypass the proper
>>>>> userspace behavior), then the functionality really does become
>>>>> pointless, and can then be removed.
>>>> Well, until someone comes along with yet another spiffy feature
>>>> like containers and breaks it again. This is why a really good
>>>> solution is required, and the one proposed isn't up to snuff.
>>>>
>>> Can you please state your reasons for why you believe this solution is not "up
>>> to snuff?" So far myself and others have given what I believe to be sound
>>> responses to any objections to this patch.
>> If you can't convince Alan, who know ways more about ttys than anyone
>> ought to, it's not up to snuff.
>>
>>>>> >From a practical perspective, can alternative solutions be offered
>>>>> along with NAKs?
>>>> They often are, but let's face it, not everyone has the time,
>>>> desire and/or expertise to solve every problem that comes up.
>>>>
>>>>> Killing things on the vine isnt great, and if a
>>>>> security measure is being denied, upstream should provide their
>>>>> solution to how they want to address the problem (or just an outline
>>>>> to guide the hardened folks).
>>>> The impact of a "security measure" can exceed the value provided.
>>>> That is, I understand, the basis of the NAK. We need to be careful
>>>> to keep in mind that, until such time as there is substantial interest
>>>> in the sort of systemic changes that truly remove this class of issue,
>>>> we're going to have to justify the risk/reward trade off when we try
>>>> to introduce a change.
>>>>
>>>>> On Mon, May 29, 2017 at 6:26 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>>>>>> On Mon, 29 May 2017 17:38:00 -0400
>>>>>> Matt Brown <matt@nmatt.com> wrote:
>>>>>>
>>>>>>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>>>>>>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>>>>>>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>>>>>> Which is really quite pointless as I keep pointing out and you keep
>>>>>> reposting this nonsense.
>>>>>>
>>>>>>> This patch depends on patch 1/2
>>>>>>>
>>>>>>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>>>>>>
>>>>>>> This patch would have prevented
>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>>>>>>> conditions:
>>>>>>> * non-privileged container
>>>>>>> * container run inside new user namespace
>>>>>> And assuming no other ioctl could be used in an attack. Only there are
>>>>>> rather a lot of ways an app with access to a tty can cause mischief if
>>>>>> it's the same controlling tty as the higher privileged context that
>>>>>> launched it.
>>>>>>
>>>>>> Properly written code allocates a new pty/tty pair for the lower
>>>>>> privileged session. If the code doesn't do that then your change merely
>>>>>> modifies the degree of mayhem it can cause. If it does it right then your
>>>>>> patch is pointless.
>>>>>>
>>>>>>> Possible effects on userland:
>>>>>>>
>>>>>>> There could be a few user programs that would be effected by this
>>>>>>> change.
>>>>>> In other words, it's yet another weird config option that breaks stuff.
>>>>>>
>>>>>>
>>>>>> NAK v7.
>>>>>>
>>>>>> Alan
>>> Thanks,
>>> Matt Brown
>>>
Matt Brown May 30, 2017, 4:09 p.m. UTC | #10
On 5/30/17 11:20 AM, Casey Schaufler wrote:
> On 5/29/2017 8:18 PM, Matt Brown wrote:
>> On 5/29/17 10:46 PM, Casey Schaufler wrote:
>>> On 5/29/2017 7:00 PM, Matt Brown wrote:
>>>> Casey Schaufler,
>>>>
>>>> First I must start this off by saying I really appreciate your presentation on
>>>> LSMs that is up on youtube. I've got a LSM in the works and your talk has
>>>> helped me a bunch.
>>> Thank you. Feedback (especially positive) is always appreciated.
>>>
>>>> On 5/29/17 8:27 PM, Casey Schaufler wrote:
>>>>> On 5/29/2017 4:51 PM, Boris Lukashev wrote:
>>>>>> With all due respect sir, i believe your review falls short of the
>>>>>> purpose of this effort - to harden the kernel against flaws in
>>>>>> userspace. Comments along the line of "if <userspace> does it right
>>>>>> then your patch is pointless" are not relevant to the context of
>>>>>> securing kernel functions/interfaces. What userspace should do has
>>>>>> little bearing on defensive measures actually implemented in the
>>>>>> kernel - if we took the approach of "someone else is responsible for
>>>>>> that" in military operations, the world would be a much darker and
>>>>>> different place today. Those who have the luxury of standoff from the
>>>>>> critical impacts of security vulnerabilities may not take into account
>>>>>> the fact that peoples lives literally depend on Linux getting a lot
>>>>>> more secure, and quickly.
>>>>> You are not going to help anyone with a kernel configuration that
>>>>> breaks agetty, csh, xemacs and tcsh. The opportunities for using
>>>>> such a configuration are limited.
>>>> This patch does not break these programs as you imply. 99% of users of these
>>>> programs will not be effected. Its not like the TIOCSTI ioctl is a critical
>>>> part of these programs.
>>> Most likely not.
>>>
>>>> Also as I've stated elsewhere, this is not breaking userspace because this
>>>> Kconfig/sysctl defaults to n. If someone is using the programs listed above in
>>>> a way that does utilize an unprivileged call to the TIOCSTI ioctl, they can
>>>> turn this feature off.
>>> Default "off" does not mean it doesn't break userspace. It means that it might
>>> not break userspace in your environment. Or it might, depending on the whim of
>>> the build tool of the day.
>>>
>> By this logic, it seems like any introduced feature which toggles some security
>> feature could be seen as "breaking userspace." For example:
>>
>> 1. Let there exist a LSM X that is set to "off" by default.
>> 	(let's say its a simpler type of MAC ;)
> 
> You picked a bad example ...
> 
>> 2. There exists an inexperienced user Bob that toggles X to "on".
> 
> ... which is easy enough, however ...
> 
>> 3. Bob complains that X has broken userspace because he now cannot access his
>> SSH key from firefox.
> 
> ... that's not going to happen. Because the LSM you're referring to requires
> additional configuration to "break" userspace. That, by the way, was a conscious
> design choice. Now, I realize that's not the case for some other security modules,
> but they have things like "permissive mode" to make it easy on accident prone Bob.
> 
> The analogy, while obvious, is invalid.

So I may have been a bit sarcastic with my analogy, but my point is that it
seems like your definition of "breaking userspace" is too broad and could lead
to things getting labeled as breaking userspace that clearly are not.

> 
>> build tool's will always have important impacts on a system based on the config
>> that is used.
>>
>> My understanding of the "don't break userspace" rule has always been to not
>> change existing, userspace facing, APIs/ioctls/system calls/etc. I don't
>> believe that my patch does this.
>>
>>>>>> If this work were not valuable, it wouldnt be an enabled kernel option
>>>>>> on a massive number of kernels with attack surfaces reduced by the
>>>>>> compound protections offered by the grsec patch set.
>>>>> I'll bet you a beverage that 99-44/100% of the people who have
>>>>> this enabled have no clue that it's even there. And if they did,
>>>>> most of them would turn it off.
>>>>>
>>>> First, I don't know how to parse "99-44/100%" and therefore do not wish to
>>>> wager a beverage on such confusing odds ;)
>>> 99.44%. And I loose a *lot* of beverage bets.
>>>
>>>> Second, as stated above, this feature is off by default. However, I would expect
>>>> this sysctl to show up in lists of procedures for hardening linux servers.
>>> It's esoteric enough that I expect that if anyone got bitten by it
>>> word would get out and no one would use it thereafter.
>>>
>> As we know in the security world, esoteric things can have major a impact. I
>> have not looked thought all of these, but I imagine most of them could have
>> been prevented by this patch.
>>
>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti
>>
>>>>>> I can't speak for
>>>>>> the grsec people, but having read a small fraction of the commentary
>>>>>> around the subject of mainline integration, it seems to me that NAKs
>>>>>> like this are exactly why they had no interest in even trying - this
>>>>>> review is based on the cultural views of the kernel community, not on
>>>>>> the security benefits offered by the work in the current state of
>>>>>> affairs (where userspace is broken).
>>>>> A security clamp-down that breaks important stuff is going
>>>>> to have a tough row to hoe going upstream. Same with a performance
>>>>> enhancement that breaks things.
>>>>>
>>>>>> The purpose of each of these
>>>>>> protections (being ported over from grsec) is not to offer carte
>>>>>> blanche defense against all attackers and vectors, but to prevent
>>>>>> specific classes of bugs from reducing the security posture of the
>>>>>> system. By implementing these defenses in a layered manner we can
>>>>>> significantly reduce our kernel attack surface.
>>>>> Sure, but they have to work right. That's an important reason to do
>>>>> small changes. A change that isn't acceptable can be rejected without
>>>>> slowing the general progress.
>>>>>
>>>>>> Once userspace catches
>>>>>> up and does things the right way, and has no capacity for doing them
>>>>>> the wrong way (aka, nothing attackers can use to bypass the proper
>>>>>> userspace behavior), then the functionality really does become
>>>>>> pointless, and can then be removed.
>>>>> Well, until someone comes along with yet another spiffy feature
>>>>> like containers and breaks it again. This is why a really good
>>>>> solution is required, and the one proposed isn't up to snuff.
>>>>>
>>>> Can you please state your reasons for why you believe this solution is not "up
>>>> to snuff?" So far myself and others have given what I believe to be sound
>>>> responses to any objections to this patch.
>>> If you can't convince Alan, who know ways more about ttys than anyone
>>> ought to, it's not up to snuff.
>>>
>>>>>> >From a practical perspective, can alternative solutions be offered
>>>>>> along with NAKs?
>>>>> They often are, but let's face it, not everyone has the time,
>>>>> desire and/or expertise to solve every problem that comes up.
>>>>>
>>>>>> Killing things on the vine isnt great, and if a
>>>>>> security measure is being denied, upstream should provide their
>>>>>> solution to how they want to address the problem (or just an outline
>>>>>> to guide the hardened folks).
>>>>> The impact of a "security measure" can exceed the value provided.
>>>>> That is, I understand, the basis of the NAK. We need to be careful
>>>>> to keep in mind that, until such time as there is substantial interest
>>>>> in the sort of systemic changes that truly remove this class of issue,
>>>>> we're going to have to justify the risk/reward trade off when we try
>>>>> to introduce a change.
>>>>>
>>>>>> On Mon, May 29, 2017 at 6:26 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>>>>>>> On Mon, 29 May 2017 17:38:00 -0400
>>>>>>> Matt Brown <matt@nmatt.com> wrote:
>>>>>>>
>>>>>>>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>>>>>>>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>>>>>>>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>>>>>>> Which is really quite pointless as I keep pointing out and you keep
>>>>>>> reposting this nonsense.
>>>>>>>
>>>>>>>> This patch depends on patch 1/2
>>>>>>>>
>>>>>>>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>>>>>>>
>>>>>>>> This patch would have prevented
>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>>>>>>>> conditions:
>>>>>>>> * non-privileged container
>>>>>>>> * container run inside new user namespace
>>>>>>> And assuming no other ioctl could be used in an attack. Only there are
>>>>>>> rather a lot of ways an app with access to a tty can cause mischief if
>>>>>>> it's the same controlling tty as the higher privileged context that
>>>>>>> launched it.
>>>>>>>
>>>>>>> Properly written code allocates a new pty/tty pair for the lower
>>>>>>> privileged session. If the code doesn't do that then your change merely
>>>>>>> modifies the degree of mayhem it can cause. If it does it right then your
>>>>>>> patch is pointless.
>>>>>>>
>>>>>>>> Possible effects on userland:
>>>>>>>>
>>>>>>>> There could be a few user programs that would be effected by this
>>>>>>>> change.
>>>>>>> In other words, it's yet another weird config option that breaks stuff.
>>>>>>>
>>>>>>>
>>>>>>> NAK v7.
>>>>>>>
>>>>>>> Alan
>>>> Thanks,
>>>> Matt Brown
>>>>
>
Matt Brown May 30, 2017, 4:28 p.m. UTC | #11
On 5/30/17 8:24 AM, Alan Cox wrote:
> Look there are two problems here
> 
> 1. TIOCSTI has users

I don't see how this is a problem.

> 
> 2. You don't actually fix anything
> 
> The underlying problem is that if you give your tty handle to another
> process which you don't trust you are screwed. It's fundamental to the
> design of the Unix tty model and it's made worse in Linux by the fact
> that we use the tty descriptor to access all sorts of other console state
> (which makes a ton of sense).
> 
> Many years ago a few people got this wrong. All those apps got fixes back
> then. They allocate a tty/pty pair and create a new session over that.
> The potentially hostile other app only gets to screw itself.
> 

Many years ago? We already got one in 2017, as well as a bunch last year.
See: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti

> If it was only about TIOCSTI then your patch would still not make sense
> because you could use on of the existing LSMs to actually write yourself
> some rules about who can and can't use TIOCSTI. For that matter you can
> even use the seccomp feature today to do this without touching your
> kernel because the ioctl number is a value so you can just block ioctl
> with argument 2 of TIOCSTI.
> 

Seccomp requires the program in question to "opt-in" so to speak and set
certain restrictions on itself. However as you state above, any TIOCSTI
protection doesn't matter if the program correctly allocates a tty/pty pair.
This protections seeks to protect users from programs that don't do things
correctly. Rather than killing bugs, this feature attempts to kill an entire
bug class that shows little sign of slowing down in the world of containers and
sandboxes.

> So please explain why we need an obscure kernel config option that normal
> users will not understand which protects against nothing and can be
> done already ?
> 
> Alan
>
Daniel Micay May 30, 2017, 4:44 p.m. UTC | #12
> Seccomp requires the program in question to "opt-in" so to speak and set
> certain restrictions on itself. However as you state above, any TIOCSTI
> protection doesn't matter if the program correctly allocates a tty/pty pair.
> This protections seeks to protect users from programs that don't do things
> correctly. Rather than killing bugs, this feature attempts to kill an entire
> bug class that shows little sign of slowing down in the world of containers and
> sandboxes.

It's possible to do it in PID1 as root without NO_NEW_PRIVS set, but
there isn't an existing implementation of that. It's not included in
init systems like systemd. There's no way to toggle that off at
runtime one that's done like this sysctl though. If a system
administrator wants to enable it, they'll need to modify a
configuration file and reboot if it was even supported by the init
system. It's the same argument that was used against
perf_event_paranoid=3. Meanwhile, perf_event_paranoid=3 is a mandatory
requirement for every Android device and toggling it at runtime is
*necessary* since that's exposed as a system property writable by the
Android Debug Bridge shell user (i.e. physical access via USB + ADB
enabled within the OS + ADB key of the ADB client accepted). There's
less use case for TIOCSTI so toggling it on at runtime isn't as
important, but a toggle like this is a LOT friendlier than a seccomp
blacklist even if that was supported by common init systems, and it's
not.
Stephen Smalley May 30, 2017, 6:32 p.m. UTC | #13
On Tue, 2017-05-30 at 12:28 -0400, Matt Brown wrote:
> On 5/30/17 8:24 AM, Alan Cox wrote:
> > Look there are two problems here
> > 
> > 1. TIOCSTI has users
> 
> I don't see how this is a problem.
> 
> > 
> > 2. You don't actually fix anything
> > 
> > The underlying problem is that if you give your tty handle to
> > another
> > process which you don't trust you are screwed. It's fundamental to
> > the
> > design of the Unix tty model and it's made worse in Linux by the
> > fact
> > that we use the tty descriptor to access all sorts of other console
> > state
> > (which makes a ton of sense).
> > 
> > Many years ago a few people got this wrong. All those apps got
> > fixes back
> > then. They allocate a tty/pty pair and create a new session over
> > that.
> > The potentially hostile other app only gets to screw itself.
> > 
> 
> Many years ago? We already got one in 2017, as well as a bunch last
> year.
> See: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti
> 
> > If it was only about TIOCSTI then your patch would still not make
> > sense
> > because you could use on of the existing LSMs to actually write
> > yourself
> > some rules about who can and can't use TIOCSTI. For that matter you
> > can
> > even use the seccomp feature today to do this without touching your
> > kernel because the ioctl number is a value so you can just block
> > ioctl
> > with argument 2 of TIOCSTI.
> > 
> 
> Seccomp requires the program in question to "opt-in" so to speak and
> set
> certain restrictions on itself. However as you state above, any
> TIOCSTI
> protection doesn't matter if the program correctly allocates a
> tty/pty pair.
> This protections seeks to protect users from programs that don't do
> things
> correctly. Rather than killing bugs, this feature attempts to kill an
> entire
> bug class that shows little sign of slowing down in the world of
> containers and
> sandboxes.

Just FYI, you can also restrict TIOCSTI (or any other ioctl command)
via SELinux ioctl whitelisting, and Android is using that feature to
restrict TIOCSTI usage in Android O (at least based on the developer
previews to date, also in AOSP master).

> 
> > So please explain why we need an obscure kernel config option that
> > normal
> > users will not understand which protects against nothing and can be
> > done already ?
> > 
> > Alan
> > 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Nick Kralevich May 30, 2017, 6:44 p.m. UTC | #14
On Tue, May 30, 2017 at 11:32 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> Seccomp requires the program in question to "opt-in" so to speak and
>> set
>> certain restrictions on itself. However as you state above, any
>> TIOCSTI
>> protection doesn't matter if the program correctly allocates a
>> tty/pty pair.
>> This protections seeks to protect users from programs that don't do
>> things
>> correctly. Rather than killing bugs, this feature attempts to kill an
>> entire
>> bug class that shows little sign of slowing down in the world of
>> containers and
>> sandboxes.
>
> Just FYI, you can also restrict TIOCSTI (or any other ioctl command)
> via SELinux ioctl whitelisting, and Android is using that feature to
> restrict TIOCSTI usage in Android O (at least based on the developer
> previews to date, also in AOSP master).

For reference, this is https://android-review.googlesource.com/306278
, where we moved to a whitelist for handling ioctls for ptys.

-- Nick
Matt Brown May 30, 2017, 6:57 p.m. UTC | #15
On 5/30/17 2:44 PM, Nick Kralevich wrote:
> On Tue, May 30, 2017 at 11:32 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> Seccomp requires the program in question to "opt-in" so to speak and
>>> set
>>> certain restrictions on itself. However as you state above, any
>>> TIOCSTI
>>> protection doesn't matter if the program correctly allocates a
>>> tty/pty pair.
>>> This protections seeks to protect users from programs that don't do
>>> things
>>> correctly. Rather than killing bugs, this feature attempts to kill an
>>> entire
>>> bug class that shows little sign of slowing down in the world of
>>> containers and
>>> sandboxes.
>>
>> Just FYI, you can also restrict TIOCSTI (or any other ioctl command)
>> via SELinux ioctl whitelisting, and Android is using that feature to
>> restrict TIOCSTI usage in Android O (at least based on the developer
>> previews to date, also in AOSP master).
> 
> For reference, this is https://android-review.googlesource.com/306278
> , where we moved to a whitelist for handling ioctls for ptys.
> 
> -- Nick
> 

Thanks, I didn't know that android was doing this. I still think this feature
is worthwhile for people to be able to harden their systems against this attack
vector without having to implement a MAC.

Matt
Daniel Micay May 30, 2017, 8:22 p.m. UTC | #16
> Thanks, I didn't know that android was doing this. I still think this
> feature
> is worthwhile for people to be able to harden their systems against
> this attack
> vector without having to implement a MAC.

Since there's a capable LSM hook for ioctl already, it means it could go
in Yama with ptrace_scope but core kernel code would still need to be
changed to track the owning tty. I think Yama vs. core kernel shouldn't
matter much anymore due to stackable LSMs.

Not the case for perf_event_paranoid=3 where a) there's already a sysctl
exposed which would be unfortunate to duplicate, b) there isn't an LSM
hook yet (AFAIK).

The toggles for ptrace and perf events are more useful though since
they're very commonly used debugging features vs. this obscure, rarely
used ioctl that in practice no one will notice is missing. It's still
friendlier to have a toggle than a seccomp policy requiring a reboot to
get rid of it, or worse compiling it out of the kernel.
Alan Cox May 30, 2017, 10:51 p.m. UTC | #17
On Tue, 30 May 2017 12:28:59 -0400
Matt Brown <matt@nmatt.com> wrote:

> On 5/30/17 8:24 AM, Alan Cox wrote:
> > Look there are two problems here
> > 
> > 1. TIOCSTI has users  
> 
> I don't see how this is a problem.

Which is unfortunate. To start with if it didn't have users we could just
delete it.

> > 
> > 2. You don't actually fix anything
> > 
> > The underlying problem is that if you give your tty handle to another
> > process which you don't trust you are screwed. It's fundamental to the
> > design of the Unix tty model and it's made worse in Linux by the fact
> > that we use the tty descriptor to access all sorts of other console state
> > (which makes a ton of sense).
> > 
> > Many years ago a few people got this wrong. All those apps got fixes back
> > then. They allocate a tty/pty pair and create a new session over that.
> > The potentially hostile other app only gets to screw itself.
> >   
> 
> Many years ago? We already got one in 2017, as well as a bunch last year.
> See: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti

All the apps got fixed at the time. The fact the next generation of
forgot to learn from it is unfortunate but hardly new. Also every single
one of those that exposes a tty in that way allows other annoying
behaviours via other ioctl interfaces so none of them would have been
properly mitigated.

If you really want to do that particular bit of snake oiling then you can
use the existing SELinux, seccomp and related interfaces. They can even
do the job properly by whitelisting or blocking long lists of ioctls.

> This protections seeks to protect users from programs that don't do things
> correctly. Rather than killing bugs, this feature attempts to kill an entire
> bug class that shows little sign of slowing down in the world of containers and
> sandboxes.

Well maybe the people writing them need to learn what they are doing and
stop passing random file descriptors into their container (I've even seen
people handing X file handles into their 'container').

The kernel can do some things to help programmers but it can't stop
people writing crap. Anyone writing code that crosses security boundaries
should have at least a vague idea of what they are doing.

The only way you'd actually really prevent this would be to magically
open a new pty/tty pair and substitute the file handlers plus a data
copying thread when someone created a namespace.

Now you can actually do that with the ptrace functionality in seccomp but
it would still be fairly insane to expect the kernel to handle.

Alan
[Actually even more sensible would be to revert the entire sorry
container mess and use VMs but it's a bit late for that ;-)]
Matt Brown May 30, 2017, 11 p.m. UTC | #18
On 5/30/17 4:22 PM, Daniel Micay wrote:
>> Thanks, I didn't know that android was doing this. I still think this
>> feature
>> is worthwhile for people to be able to harden their systems against
>> this attack
>> vector without having to implement a MAC.
> 
> Since there's a capable LSM hook for ioctl already, it means it could go
> in Yama with ptrace_scope but core kernel code would still need to be
> changed to track the owning tty. I think Yama vs. core kernel shouldn't
> matter much anymore due to stackable LSMs.
> 

What does everyone think about a v8 that moves this feature under Yama and uses
the file_ioctl LSM hook?

> Not the case for perf_event_paranoid=3 where a) there's already a sysctl
> exposed which would be unfortunate to duplicate, b) there isn't an LSM
> hook yet (AFAIK).
> 
> The toggles for ptrace and perf events are more useful though since
> they're very commonly used debugging features vs. this obscure, rarely
> used ioctl that in practice no one will notice is missing. It's still
> friendlier to have a toggle than a seccomp policy requiring a reboot to
> get rid of it, or worse compiling it out of the kernel.
>
Matt Brown May 30, 2017, 11:19 p.m. UTC | #19
On 5/30/17 6:51 PM, Alan Cox wrote:
> On Tue, 30 May 2017 12:28:59 -0400
> Matt Brown <matt@nmatt.com> wrote:
> 
>> On 5/30/17 8:24 AM, Alan Cox wrote:
>>> Look there are two problems here
>>>
>>> 1. TIOCSTI has users  
>>
>> I don't see how this is a problem.
> 
> Which is unfortunate. To start with if it didn't have users we could just
> delete it.
> 
>>>
>>> 2. You don't actually fix anything
>>>
>>> The underlying problem is that if you give your tty handle to another
>>> process which you don't trust you are screwed. It's fundamental to the
>>> design of the Unix tty model and it's made worse in Linux by the fact
>>> that we use the tty descriptor to access all sorts of other console state
>>> (which makes a ton of sense).
>>>
>>> Many years ago a few people got this wrong. All those apps got fixes back
>>> then. They allocate a tty/pty pair and create a new session over that.
>>> The potentially hostile other app only gets to screw itself.
>>>   
>>
>> Many years ago? We already got one in 2017, as well as a bunch last year.
>> See: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tiocsti
> 
> All the apps got fixed at the time. The fact the next generation of
> forgot to learn from it is unfortunate but hardly new. Also every single
> one of those that exposes a tty in that way allows other annoying
> behaviours via other ioctl interfaces so none of them would have been
> properly mitigated.
> 

This is my point. Apps will continue to shoot themselves in the foot. Of course
the correct response to one of these vulns is to not pass ttys across a
security boundary. We have an opportunity here to reduce the impact of this bug
class at the kernel level. Rejecting this mitigation because the real solution
is to use a tty/pty pair is like saying we should reject ASLR because the real
solution to buffer overflows is proper bounds checking.

> If you really want to do that particular bit of snake oiling then you can
> use the existing SELinux, seccomp and related interfaces. They can even
> do the job properly by whitelisting or blocking long lists of ioctls.
> 
>> This protections seeks to protect users from programs that don't do things
>> correctly. Rather than killing bugs, this feature attempts to kill an entire
>> bug class that shows little sign of slowing down in the world of containers and
>> sandboxes.
> 
> Well maybe the people writing them need to learn what they are doing and
> stop passing random file descriptors into their container (I've even seen
> people handing X file handles into their 'container').
> 
> The kernel can do some things to help programmers but it can't stop
> people writing crap. Anyone writing code that crosses security boundaries
> should have at least a vague idea of what they are doing.
> 
> The only way you'd actually really prevent this would be to magically
> open a new pty/tty pair and substitute the file handlers plus a data
> copying thread when someone created a namespace.
> 
> Now you can actually do that with the ptrace functionality in seccomp but
> it would still be fairly insane to expect the kernel to handle.
> 
> Alan
> [Actually even more sensible would be to revert the entire sorry
> container mess and use VMs but it's a bit late for that ;-)]
> 

Totally agree. VMs >> Containers but the cat is out of the bag and we can't put
it back.
Daniel Micay May 30, 2017, 11:40 p.m. UTC | #20
On Tue, 2017-05-30 at 19:00 -0400, Matt Brown wrote:
> On 5/30/17 4:22 PM, Daniel Micay wrote:
> > > Thanks, I didn't know that android was doing this. I still think
> > > this
> > > feature
> > > is worthwhile for people to be able to harden their systems
> > > against
> > > this attack
> > > vector without having to implement a MAC.
> > 
> > Since there's a capable LSM hook for ioctl already, it means it
> > could go
> > in Yama with ptrace_scope but core kernel code would still need to
> > be
> > changed to track the owning tty. I think Yama vs. core kernel
> > shouldn't
> > matter much anymore due to stackable LSMs.
> > 
> 
> What does everyone think about a v8 that moves this feature under Yama
> and uses
> the file_ioctl LSM hook?

It would only make a difference if it could be fully contained there, as
in not depending on tracking the tty owner.
Alan Cox May 30, 2017, 11:56 p.m. UTC | #21
> This is my point. Apps will continue to shoot themselves in the foot. Of course
> the correct response to one of these vulns is to not pass ttys across a
> security boundary. We have an opportunity here to reduce the impact of this bug
> class at the kernel level. 

Not really.

If you pass me your console for example I can mmap your framebuffer and
spy on you all day. Or I could reprogram your fonts, your keyboard, your
video mode, or use set and paste selection to write stuff. If you are
using X and you can't get tty handles right you'll no doubt pass me a
copy of your X file descriptor in which case I own your display, your
keyboard and your mouse and I don't need to use TIOCSTI there either.

There are so many different attacks based upon that screwup that the
kernel cannot defend against them. You aren't exactly reducing the impact.

Alan
Matt Brown May 30, 2017, 11:59 p.m. UTC | #22
On 5/30/17 7:40 PM, Daniel Micay wrote:
> On Tue, 2017-05-30 at 19:00 -0400, Matt Brown wrote:
>> On 5/30/17 4:22 PM, Daniel Micay wrote:
>>>> Thanks, I didn't know that android was doing this. I still think
>>>> this
>>>> feature
>>>> is worthwhile for people to be able to harden their systems
>>>> against
>>>> this attack
>>>> vector without having to implement a MAC.
>>>
>>> Since there's a capable LSM hook for ioctl already, it means it
>>> could go
>>> in Yama with ptrace_scope but core kernel code would still need to
>>> be
>>> changed to track the owning tty. I think Yama vs. core kernel
>>> shouldn't
>>> matter much anymore due to stackable LSMs.
>>>
>>
>> What does everyone think about a v8 that moves this feature under Yama
>> and uses
>> the file_ioctl LSM hook?
> 
> It would only make a difference if it could be fully contained there, as
> in not depending on tracking the tty owner.
> 

For the reasons discussed earlier (to allow for nested containers where one of
the containers is privileged) we want to track the user namespace that owns the tty.
James Morris May 31, 2017, 2:48 a.m. UTC | #23
On Mon, 29 May 2017, Boris Lukashev wrote:

> With all due respect sir, i believe your review falls short of the
> purpose of this effort - to harden the kernel against flaws in
> userspace.

Which effort?  Kernel self protection is about protecting against flaws in 
the kernel.

See:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

  "This project starts with the premise that kernel bugs have a very long 
   lifetime, and that the kernel must be designed in ways to protect against 
   these flaws."

We need to avoid conflating:

- hardening the kernel against attack; and 
- modifying the kernel to try and harden userspace.

These patches are the latter, and the case for them is not as 
straightforward.


- James
Matt Brown May 31, 2017, 4:10 a.m. UTC | #24
On 05/30/2017 10:48 PM, James Morris wrote:
> On Mon, 29 May 2017, Boris Lukashev wrote:
>
>> With all due respect sir, i believe your review falls short of the
>> purpose of this effort - to harden the kernel against flaws in
>> userspace.
>
> Which effort?  Kernel self protection is about protecting against flaws in
> the kernel.
>
> See:
> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
>
>   "This project starts with the premise that kernel bugs have a very long
>    lifetime, and that the kernel must be designed in ways to protect against
>    these flaws."
>
> We need to avoid conflating:
>
> - hardening the kernel against attack; and
> - modifying the kernel to try and harden userspace.
>
> These patches are the latter, and the case for them is not as
> straightforward.
>
>
> - James
>

I agree that these patches aren't kernel self protection and I don't
believe I have claimed they are such a thing. These patches I'm
presenting are more akin to ptrace protections that are found in Yama.
Kees Cook June 1, 2017, 2:35 a.m. UTC | #25
On Tue, May 30, 2017 at 4:56 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>> This is my point. Apps will continue to shoot themselves in the foot. Of course
>> the correct response to one of these vulns is to not pass ttys across a
>> security boundary. We have an opportunity here to reduce the impact of this bug
>> class at the kernel level.
>
> Not really.
>
> If you pass me your console for example I can mmap your framebuffer and
> spy on you all day. Or I could reprogram your fonts, your keyboard, your
> video mode, or use set and paste selection to write stuff. If you are
> using X and you can't get tty handles right you'll no doubt pass me a
> copy of your X file descriptor in which case I own your display, your
> keyboard and your mouse and I don't need to use TIOCSTI there either.
>
> There are so many different attacks based upon that screwup that the
> kernel cannot defend against them. You aren't exactly reducing the impact.

I still cannot wrap my head around why providing users with a
protection is a bad thing. Yes, the other tty games are bad, but this
fixes a specific and especially bad case that is easy to kill. It's
got a Kconfig and a sysctl. It's not on by default. This protects the
common case of privileged ttys that aren't attached to consoles, etc,
so while the framebuffer thing is an issue, it's not always an issue,
etc.

I'd like to hear Greg's thoughts on this series...

-Kees
lazytyped June 1, 2017, 7:12 a.m. UTC | #26
On 6/1/17 4:35 AM, Kees Cook wrote:
> I still cannot wrap my head around why providing users with a
> protection is a bad thing. Yes, the other tty games are bad, but this
> fixes a specific and especially bad case that is easy to kill. It's
> got a Kconfig and a sysctl. It's not on by default. This protects the
> common case of privileged ttys that aren't attached to consoles, etc,
> so while the framebuffer thing is an issue, it's not always an issue,
> etc.
There are a couple of reasons for that:

First of all, a protection is extra cost, in terms of maintenance, 
knowledge (a new knob) and compatibility. That extra cost may sound 
minimal, but adds up pretty quickly. If the protection is "easily" 
bypassable (that is, today we use TIOCSTI, tomorrow we use something 
else in the same path), then that extra cost/complexity stays for no 
good reason. Feature creep is a real issue, in security, IMHO - it's not 
a 'number of features' game.

Second, stuff that is delivered off by default tends to rot. I don't 
work on Linux, but generally try really hard to not add something that 
is not ON by default at least for a small number of things. Stuff 
inevitably breaks, and it's extra cost.
To me, a protection that needs to be off by default, raises a red flag. 
I know Linux has a somewhat different philosophy (centered around the 
kernel config that each distribution pieces together and ships), so 
mileage probably varies there.

I don't have enough skills to comment about all the possible TTY attacks 
and quirks, but I think I understand where Alan comes from.

Good luck.


          -  Enrico
Alan Cox June 1, 2017, 1:08 p.m. UTC | #27
> I still cannot wrap my head around why providing users with a
> protection is a bad thing. Yes, the other tty games are bad, but this
> fixes a specific and especially bad case that is easy to kill. It's
> got a Kconfig and a sysctl. It's not on by default. This protects the
> common case of privileged ttys that aren't attached to consoles, etc,

Which just leads to stuff not getting fixed. Like all the code out there
today which is still vulnerable to selection based attacks because people
didn't do the job right when "fixing" stuff because they are not
thinking about security at a systems level but just tickboxing CVEs.

I'm not against doing something to protect the container folks, but that
something as with Android is a whitelist of ioctls. And if we need to do
this with a kernel hook lets do it properly.

Remember the namespace of the tty on creation
If the magic security flag is set then
	Apply a whitelist to *any* tty ioctl call where the ns doesn't
		match

and we might as well just take the Android whitelist since they've kindly
built it for us all!

In the tty layer it ends up being something around 10 lines of code and
some other file somewhere in security/ that's just a switch or similar
with the whitelisted ioctl codes in it.

That (or a similar SELinux ruleset) would actually fix the problem.
SELinux would be better because it can also apply the rules when doing
things like su/sudo/...

Alan
Serge E. Hallyn June 1, 2017, 5:18 p.m. UTC | #28
Quoting Alan Cox (gnomes@lxorguk.ukuu.org.uk):
> > I still cannot wrap my head around why providing users with a
> > protection is a bad thing. Yes, the other tty games are bad, but this
> > fixes a specific and especially bad case that is easy to kill. It's
> > got a Kconfig and a sysctl. It's not on by default. This protects the
> > common case of privileged ttys that aren't attached to consoles, etc,
> 
> Which just leads to stuff not getting fixed. Like all the code out there
> today which is still vulnerable to selection based attacks because people
> didn't do the job right when "fixing" stuff because they are not
> thinking about security at a systems level but just tickboxing CVEs.
> 
> I'm not against doing something to protect the container folks, but that
> something as with Android is a whitelist of ioctls. And if we need to do

Whitelist of ioctls (at least using seccomp) is not sufficient because
then we have to turn the ioctl always-off.  But like you say we may want
to enable it for ptys which are created inside the container's user ns.

> this with a kernel hook lets do it properly.
> 
> Remember the namespace of the tty on creation

Matt's patch does this,

> If the magic security flag is set then
> 	Apply a whitelist to *any* tty ioctl call where the ns doesn't
> 		match

Seems sensible.

> and we might as well just take the Android whitelist since they've kindly
> built it for us all!
> 
> In the tty layer it ends up being something around 10 lines of code and
> some other file somewhere in security/ that's just a switch or similar
> with the whitelisted ioctl codes in it.
> 
> That (or a similar SELinux ruleset) would actually fix the problem.
> SELinux would be better because it can also apply the rules when doing
> things like su/sudo/...
> 
> Alan
Kees Cook June 1, 2017, 6:46 p.m. UTC | #29
On Thu, Jun 1, 2017 at 12:12 AM, lazytyped <lazytyped@gmail.com> wrote:
>
>
> On 6/1/17 4:35 AM, Kees Cook wrote:
>>
>> I still cannot wrap my head around why providing users with a
>> protection is a bad thing. Yes, the other tty games are bad, but this
>> fixes a specific and especially bad case that is easy to kill. It's
>> got a Kconfig and a sysctl. It's not on by default. This protects the
>> common case of privileged ttys that aren't attached to consoles, etc,
>> so while the framebuffer thing is an issue, it's not always an issue,
>> etc.
>
> There are a couple of reasons for that:
>
> First of all, a protection is extra cost, in terms of maintenance, knowledge
> (a new knob) and compatibility. That extra cost may sound minimal, but adds
> up pretty quickly. If the protection is "easily" bypassable (that is, today
> we use TIOCSTI, tomorrow we use something else in the same path), then that
> extra cost/complexity stays for no good reason. Feature creep is a real
> issue, in security, IMHO - it's not a 'number of features' game.

Yes, absolutely. But the trouble tends to be around "poor initial
design" userspace APIs that need work-arounds to make them safe. These
cases are relatively rare, luckily, so there's not much actual
"slippery slope" for adding those kinds of protections. As for
bypassing, besides Alan's physical-console-specific issues, I haven't
seen anyone point out things with privileged TTYs that are still an
escalation path when TIOCSTI is unavailable.

So, the way I see it, this is a fix for a bad API that keeps being
coded poorly in userspace that, while it doesn't fix all physical
console attacks, does block the specific issue introduced by TIOCSTI.
And since there are legit users of TIOCSTI we can't just remove it,
since some people want the functionality over the risk. Hence, a
sysctl.

All of the reasoning here seems to match the link restrictions from 5
years ago: a crappy API (sticky bit) is not handled by userspace (open
/tmp/$$!) and people get attacked. The solution was a sysctl to enable
the link restrictions that killed the entire class of the common
attack (though it didn't solve especially egregious bad uses, much
like the TIOCSTI fix). Every distro enabled the sysctl, and, while the
data is noisy, looking a CVEs matching "/tmp symlink", the numbers
drop from 2013 and later (with none yet for 2017).

> Second, stuff that is delivered off by default tends to rot. I don't work on
> Linux, but generally try really hard to not add something that is not ON by
> default at least for a small number of things. Stuff inevitably breaks, and
> it's extra cost.
> To me, a protection that needs to be off by default, raises a red flag. I
> know Linux has a somewhat different philosophy (centered around the kernel
> config that each distribution pieces together and ships), so mileage
> probably varies there.

Totally agreed in general about the default-off, but the Linux
ecosystem is a weird one: Linus has mandated that the kernel can never
break userspace by default, effectively freeing upstream developers
from the responsibility of dealing with such breakage. However,
distros can have their own set of defaults. In many of the
security-sensitive areas, distros turn things on by default. As
mentioned above, link restrictions were enabled by default on distros
(some even before it was upstream), as well as things like
CONFIG_DEBUG_RODATA (before it was finally made mandatory, a decade
later), CONFIG_HARDENED_USERCOPY, etc.

This is the evolution of Linux security defenses: first it has to
exist (but default-off), then everyone gets comfortable with it being
enabled because distros turn it on, then everyone gets frustrated that
it's not default-on in the kernel and changes it there too, either by
identifying improvements to allow it on-by-default or just having a
flag-day. An example of the former might be the ancient progression of
/proc/self/maps protections (on-show sysctl in 2.6.22, on-open mm
check in 2.6.24, drop sysctl in 2.6.27). For the latter, noted above,
CONFIG_DEBUG_RODATA (now CONFIG_STRICT_KERNEL_RWX) is a good example
where it was just decided, finally, to make it mandatory (on x86 and
arm64 so far).

> I don't have enough skills to comment about all the possible TTY attacks and
> quirks, but I think I understand where Alan comes from.

Yeah, agreed. I certainly don't claim it solves all the TTY risks, but
it closes the door on a big one. That kind of change has real-world
benefits, and we have decades of evidence to show that just saying
"fix it in userspace" is not going to protect anyone.

-Kees
Kees Cook June 1, 2017, 6:58 p.m. UTC | #30
On Thu, Jun 1, 2017 at 6:08 AM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>> I still cannot wrap my head around why providing users with a
>> protection is a bad thing. Yes, the other tty games are bad, but this
>> fixes a specific and especially bad case that is easy to kill. It's
>> got a Kconfig and a sysctl. It's not on by default. This protects the
>> common case of privileged ttys that aren't attached to consoles, etc,
>
> Which just leads to stuff not getting fixed. Like all the code out there
> today which is still vulnerable to selection based attacks because people
> didn't do the job right when "fixing" stuff because they are not
> thinking about security at a systems level but just tickboxing CVEs.

There's a difference between "bugs" and "security bugs". Letting
security bugs continue to get exploited because we want to flush out
bugs seems insensitive to the people getting attacked. I'd rather
protect against a class of bug than have to endless fix each bug.

> I'm not against doing something to protect the container folks, but that
> something as with Android is a whitelist of ioctls. And if we need to do
> this with a kernel hook lets do it properly.
>
> Remember the namespace of the tty on creation
> If the magic security flag is set then
>         Apply a whitelist to *any* tty ioctl call where the ns doesn't
>                 match
>
> and we might as well just take the Android whitelist since they've kindly
> built it for us all!
>
> In the tty layer it ends up being something around 10 lines of code and
> some other file somewhere in security/ that's just a switch or similar
> with the whitelisted ioctl codes in it.
>
> That (or a similar SELinux ruleset) would actually fix the problem.
> SELinux would be better because it can also apply the rules when doing
> things like su/sudo/...

Just to play devil's advocate, wouldn't such a system continue to not
address your physical-console concerns? I wouldn't want to limit the
protection to only containers (but it's a good start), since it
wouldn't protect people not using containers that still have a
privileged TTY attached badly somewhere.

If you're talking about wholistic SELinux policy, sure, I could
imagine a wholistic fix. But for the tons of people without a
comprehensive SELinux policy, the proposed protection continues to
make sense.

-Kees
Alan Cox June 1, 2017, 9:24 p.m. UTC | #31
> There's a difference between "bugs" and "security bugs". Letting

Not really, it's merely a matter of severity of result. A non security
bug that hoses your hard disk is to anyone but security nutcases at
least as bad as a security hole.

> security bugs continue to get exploited because we want to flush out
> bugs seems insensitive to the people getting attacked. I'd rather
> protect against a class of bug than have to endless fix each bug.

The others are security bugs too to varying degree

> > I'm not against doing something to protect the container folks, but that
> > something as with Android is a whitelist of ioctls. And if we need to do
> > this with a kernel hook lets do it properly.
> >
> > Remember the namespace of the tty on creation
> > If the magic security flag is set then
> >         Apply a whitelist to *any* tty ioctl call where the ns doesn't
> >                 match
> >
> > and we might as well just take the Android whitelist since they've kindly
> > built it for us all!
> >
> > In the tty layer it ends up being something around 10 lines of code and
> > some other file somewhere in security/ that's just a switch or similar
> > with the whitelisted ioctl codes in it.
> >
> > That (or a similar SELinux ruleset) would actually fix the problem.
> > SELinux would be better because it can also apply the rules when doing
> > things like su/sudo/...  
> 
> Just to play devil's advocate, wouldn't such a system continue to not
> address your physical-console concerns? I wouldn't want to limit the

It would for the cases that a whitelist and container check covers -
because the whitelist wouldn't allow you to do anything but boring stuff
on the tty. TIOCSTI is just one of a whole range of differently stupid
and annoying opportunities. Containers do not and should not be able to
set the keymap, change the video mode, use console selection, make funny
beepy noises, access video I/O registers and all the other stuff like
that. Nothing is going to break if we have a fairly conservative
whitelist.

> protection to only containers (but it's a good start), since it
> wouldn't protect people not using containers that still have a
> privileged TTY attached badly somewhere.

How are you going to magically fix the problem. I'm not opposed to fixing
the real problem but right now it appears to be a product of wishful
thinking not programming. What's the piece of security code that
magically discerns the fact you are running something untrusted at the
other end of your tty. SELinux can do it via labelling but I don't see
any generic automatic way for the kernel to magically work out when to
whitelist and when not to. If there is a better magic rule than
differing-namespace then provide the code.

You can't just disable TIOCSTI, it has users deal with it. You can
get away with disabling it for namespace crossing I think but if you do
that you need to disable a pile of others.

(If it breaks containers blocking TIOCSTI then we need to have a good
look at algorithms for deciding when to flush the input queue on exiting
a container or somesuch)

> If you're talking about wholistic SELinux policy, sure, I could
> imagine a wholistic fix. But for the tons of people without a
> comprehensive SELinux policy, the proposed protection continues to
> make sense.

No it doesn't. It's completely useless unless you actually bother to
address the other exploit opportunities.

Right now the proposal is a hack to do 

	if (TIOCSTI && different_namespace && magic_flag)

the proper solution is

	if (!whitelisted(ioctl) && different_namespace && magic_flag)

The former is snake oil, the latter actually deals with the problem space
for namespaced stuff comprehensively and is only a tiny amount more code.

For non namespaced stuff it makes it no worse, if you don't allocate a
pty/tty pair properly then the gods are not going to magically save you
from on high sorry. And if you want to completely kill TIOCSTI even
though it's kind of pointless you can use seccomp.

We can make things a bit better for the non-namespaced cases by providing
a new ioctl that turns on/off whitelisting for that tty so that the
process can do

	ioctl(tty_fd, TIOCTRUST, &zero);
	execl("/home/foo/stupid-idea", "ooops", NULL);

that's a simple per tty flag and a trivial one condition extra check to
the test above. We do need some way to change it back however and that's
a bit trickier given we don't want the stupid-idea tool to be able to but
we do want the invoking shell to - maybe you have to be session leader ?

Alan
Alan Cox June 1, 2017, 9:26 p.m. UTC | #32
On Thu, 1 Jun 2017 12:18:58 -0500
"Serge E. Hallyn" <serge@hallyn.com> wrote:

> Quoting Alan Cox (gnomes@lxorguk.ukuu.org.uk):
> > > I still cannot wrap my head around why providing users with a
> > > protection is a bad thing. Yes, the other tty games are bad, but this
> > > fixes a specific and especially bad case that is easy to kill. It's
> > > got a Kconfig and a sysctl. It's not on by default. This protects the
> > > common case of privileged ttys that aren't attached to consoles, etc,  
> > 
> > Which just leads to stuff not getting fixed. Like all the code out there
> > today which is still vulnerable to selection based attacks because people
> > didn't do the job right when "fixing" stuff because they are not
> > thinking about security at a systems level but just tickboxing CVEs.
> > 
> > I'm not against doing something to protect the container folks, but that
> > something as with Android is a whitelist of ioctls. And if we need to do  
> 
> Whitelist of ioctls (at least using seccomp) is not sufficient because
> then we have to turn the ioctl always-off.  But like you say we may want
> to enable it for ptys which are created inside the container's user ns.
> 
> > this with a kernel hook lets do it properly.
> > 
> > Remember the namespace of the tty on creation  
> 
> Matt's patch does this,
> 
> > If the magic security flag is set then
> > 	Apply a whitelist to *any* tty ioctl call where the ns doesn't
> > 		match  
> 
> Seems sensible.

I'm arguing that we need to swap the TIOCSTI test for a !whitelisted()
test to go with the namespace difference check. Then it makes sense
because we actually address the real problem.

Alan
James Morris June 1, 2017, 10:56 p.m. UTC | #33
On Thu, 1 Jun 2017, Kees Cook wrote:

> All of the reasoning here seems to match the link restrictions from 5
> years ago: a crappy API (sticky bit) is not handled by userspace (open
> /tmp/$$!) and people get attacked. The solution was a sysctl to enable
> the link restrictions that killed the entire class of the common
> attack (though it didn't solve especially egregious bad uses, much

This is the problem -- it doesn't really eliminate the underlying issue.

A better solution (in this case) was to implement a new API which 
addresses the issue at an architectural level, i.e. namespace-based 
private /tmp views, and encourage its adoption.

> like the TIOCSTI fix). Every distro enabled the sysctl, and, while the
> data is noisy, looking a CVEs matching "/tmp symlink", the numbers
> drop from 2013 and later (with none yet for 2017).

I wonder how much of this is due to the sysctl vs. adoption of private 
/tmp, and what may be lurking in the "egregious bad uses" category for 
future CVEs.  And obviously we don't know what various folk may have up 
their sleeves, if anything.
Matt Brown June 2, 2017, 2:46 p.m. UTC | #34
On 6/1/17 5:24 PM, Alan Cox wrote:
>> There's a difference between "bugs" and "security bugs". Letting
> 
> Not really, it's merely a matter of severity of result. A non security
> bug that hoses your hard disk is to anyone but security nutcases at
> least as bad as a security hole.
> 
>> security bugs continue to get exploited because we want to flush out
>> bugs seems insensitive to the people getting attacked. I'd rather
>> protect against a class of bug than have to endless fix each bug.
> 
> The others are security bugs too to varying degree
> 
>>> I'm not against doing something to protect the container folks, but that
>>> something as with Android is a whitelist of ioctls. And if we need to do
>>> this with a kernel hook lets do it properly.
>>>
>>> Remember the namespace of the tty on creation
>>> If the magic security flag is set then
>>>         Apply a whitelist to *any* tty ioctl call where the ns doesn't
>>>                 match
>>>
>>> and we might as well just take the Android whitelist since they've kindly
>>> built it for us all!
>>>
>>> In the tty layer it ends up being something around 10 lines of code and
>>> some other file somewhere in security/ that's just a switch or similar
>>> with the whitelisted ioctl codes in it.
>>>
>>> That (or a similar SELinux ruleset) would actually fix the problem.
>>> SELinux would be better because it can also apply the rules when doing
>>> things like su/sudo/...  
>>
>> Just to play devil's advocate, wouldn't such a system continue to not
>> address your physical-console concerns? I wouldn't want to limit the
> 
> It would for the cases that a whitelist and container check covers -
> because the whitelist wouldn't allow you to do anything but boring stuff
> on the tty. TIOCSTI is just one of a whole range of differently stupid
> and annoying opportunities. Containers do not and should not be able to
> set the keymap, change the video mode, use console selection, make funny
> beepy noises, access video I/O registers and all the other stuff like
> that. Nothing is going to break if we have a fairly conservative
> whitelist.
> 
>> protection to only containers (but it's a good start), since it
>> wouldn't protect people not using containers that still have a
>> privileged TTY attached badly somewhere.
> 
> How are you going to magically fix the problem. I'm not opposed to fixing
> the real problem but right now it appears to be a product of wishful
> thinking not programming. What's the piece of security code that
> magically discerns the fact you are running something untrusted at the
> other end of your tty. SELinux can do it via labelling but I don't see
> any generic automatic way for the kernel to magically work out when to
> whitelist and when not to. If there is a better magic rule than
> differing-namespace then provide the code.
> 
> You can't just disable TIOCSTI, it has users deal with it. You can
> get away with disabling it for namespace crossing I think but if you do
> that you need to disable a pile of others.
> 
> (If it breaks containers blocking TIOCSTI then we need to have a good
> look at algorithms for deciding when to flush the input queue on exiting
> a container or somesuch)
> 
>> If you're talking about wholistic SELinux policy, sure, I could
>> imagine a wholistic fix. But for the tons of people without a
>> comprehensive SELinux policy, the proposed protection continues to
>> make sense.
> 
> No it doesn't. It's completely useless unless you actually bother to
> address the other exploit opportunities.
> 
> Right now the proposal is a hack to do 
> 
> 	if (TIOCSTI && different_namespace && magic_flag)
> 


This is not what my patch does. Mine is like:

	if (TIOCSTI && !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN) &&
		magic_flag)

in other words:
	if (TIOCSTI && (different_owner_user_ns || !CAP_SYS_ADMIN) &&
		magic_flag)

can you specify what you mean by different_namespace? which namespace?

The reason I brought in the user namespace was to solve an edge case
with nested containers. capable() will never be true in a container, so
nested containers would break if we didn't do the ns_capable check. This
is also the reason for the addition of owner_user_ns to tty_struct.

The point of my patch is to prevent any type of tiocsti activity where
the tty is given to an unprivileged process/container. The emphasis of
my check is on the CAP_SYS_ADMIN part, not the namespace part.

> the proper solution is
> 
> 	if (!whitelisted(ioctl) && different_namespace && magic_flag)
> 
> The former is snake oil, the latter actually deals with the problem space
> for namespaced stuff comprehensively and is only a tiny amount more code.
> 
> For non namespaced stuff it makes it no worse, if you don't allocate a
> pty/tty pair properly then the gods are not going to magically save you
> from on high sorry. And if you want to completely kill TIOCSTI even
> though it's kind of pointless you can use seccomp.
> 
> We can make things a bit better for the non-namespaced cases by providing
> a new ioctl that turns on/off whitelisting for that tty so that the
> process can do
> 
> 	ioctl(tty_fd, TIOCTRUST, &zero);
> 	execl("/home/foo/stupid-idea", "ooops", NULL);
> 
> that's a simple per tty flag and a trivial one condition extra check to
> the test above. We do need some way to change it back however and that's
> a bit trickier given we don't want the stupid-idea tool to be able to but
> we do want the invoking shell to - maybe you have to be session leader ?
> 
> Alan
>
Serge E. Hallyn June 2, 2017, 3:36 p.m. UTC | #35
Quoting Matt Brown (matt@nmatt.com):
> On 6/1/17 5:24 PM, Alan Cox wrote:
> >> There's a difference between "bugs" and "security bugs". Letting
> > 
> > Not really, it's merely a matter of severity of result. A non security
> > bug that hoses your hard disk is to anyone but security nutcases at
> > least as bad as a security hole.
> > 
> >> security bugs continue to get exploited because we want to flush out
> >> bugs seems insensitive to the people getting attacked. I'd rather
> >> protect against a class of bug than have to endless fix each bug.
> > 
> > The others are security bugs too to varying degree
> > 
> >>> I'm not against doing something to protect the container folks, but that
> >>> something as with Android is a whitelist of ioctls. And if we need to do
> >>> this with a kernel hook lets do it properly.
> >>>
> >>> Remember the namespace of the tty on creation
> >>> If the magic security flag is set then
> >>>         Apply a whitelist to *any* tty ioctl call where the ns doesn't
> >>>                 match
> >>>
> >>> and we might as well just take the Android whitelist since they've kindly
> >>> built it for us all!
> >>>
> >>> In the tty layer it ends up being something around 10 lines of code and
> >>> some other file somewhere in security/ that's just a switch or similar
> >>> with the whitelisted ioctl codes in it.
> >>>
> >>> That (or a similar SELinux ruleset) would actually fix the problem.
> >>> SELinux would be better because it can also apply the rules when doing
> >>> things like su/sudo/...  
> >>
> >> Just to play devil's advocate, wouldn't such a system continue to not
> >> address your physical-console concerns? I wouldn't want to limit the
> > 
> > It would for the cases that a whitelist and container check covers -
> > because the whitelist wouldn't allow you to do anything but boring stuff
> > on the tty. TIOCSTI is just one of a whole range of differently stupid
> > and annoying opportunities. Containers do not and should not be able to
> > set the keymap, change the video mode, use console selection, make funny
> > beepy noises, access video I/O registers and all the other stuff like
> > that. Nothing is going to break if we have a fairly conservative
> > whitelist.
> > 
> >> protection to only containers (but it's a good start), since it
> >> wouldn't protect people not using containers that still have a
> >> privileged TTY attached badly somewhere.
> > 
> > How are you going to magically fix the problem. I'm not opposed to fixing
> > the real problem but right now it appears to be a product of wishful
> > thinking not programming. What's the piece of security code that
> > magically discerns the fact you are running something untrusted at the
> > other end of your tty. SELinux can do it via labelling but I don't see
> > any generic automatic way for the kernel to magically work out when to
> > whitelist and when not to. If there is a better magic rule than
> > differing-namespace then provide the code.
> > 
> > You can't just disable TIOCSTI, it has users deal with it. You can
> > get away with disabling it for namespace crossing I think but if you do
> > that you need to disable a pile of others.
> > 
> > (If it breaks containers blocking TIOCSTI then we need to have a good
> > look at algorithms for deciding when to flush the input queue on exiting
> > a container or somesuch)
> > 
> >> If you're talking about wholistic SELinux policy, sure, I could
> >> imagine a wholistic fix. But for the tons of people without a
> >> comprehensive SELinux policy, the proposed protection continues to
> >> make sense.
> > 
> > No it doesn't. It's completely useless unless you actually bother to
> > address the other exploit opportunities.
> > 
> > Right now the proposal is a hack to do 
> > 
> > 	if (TIOCSTI && different_namespace && magic_flag)
> > 
> 
> 
> This is not what my patch does. Mine is like:
> 
> 	if (TIOCSTI && !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN) &&
> 		magic_flag)
> 
> in other words:
> 	if (TIOCSTI && (different_owner_user_ns || !CAP_SYS_ADMIN) &&
> 		magic_flag)
> 
> can you specify what you mean by different_namespace? which namespace?

I think you're focusing on the wrong thing.  Your capable check (apart
from the fact that I think I've been convinced CAP_SYS_ADMIN is wrong)
is fine.

The key point is to not only check for TIOCSTI, but instead check for
a whitelisted ioctl.

What would the whitelist look like?  Should configuing that be the way
that you enable/disable, instead of the sysctl in this patchset?  So
by default the whitelist includes all ioctls (no change), but things
like sandboxes/sudo/container-starts can clear out the whitelist?
Matt Brown June 2, 2017, 4:02 p.m. UTC | #36
On 6/2/17 11:36 AM, Serge E. Hallyn wrote:
> Quoting Matt Brown (matt@nmatt.com):
>> On 6/1/17 5:24 PM, Alan Cox wrote:
>>>> There's a difference between "bugs" and "security bugs". Letting
>>>
>>> Not really, it's merely a matter of severity of result. A non security
>>> bug that hoses your hard disk is to anyone but security nutcases at
>>> least as bad as a security hole.
>>>
>>>> security bugs continue to get exploited because we want to flush out
>>>> bugs seems insensitive to the people getting attacked. I'd rather
>>>> protect against a class of bug than have to endless fix each bug.
>>>
>>> The others are security bugs too to varying degree
>>>
>>>>> I'm not against doing something to protect the container folks, but that
>>>>> something as with Android is a whitelist of ioctls. And if we need to do
>>>>> this with a kernel hook lets do it properly.
>>>>>
>>>>> Remember the namespace of the tty on creation
>>>>> If the magic security flag is set then
>>>>>         Apply a whitelist to *any* tty ioctl call where the ns doesn't
>>>>>                 match
>>>>>
>>>>> and we might as well just take the Android whitelist since they've kindly
>>>>> built it for us all!
>>>>>
>>>>> In the tty layer it ends up being something around 10 lines of code and
>>>>> some other file somewhere in security/ that's just a switch or similar
>>>>> with the whitelisted ioctl codes in it.
>>>>>
>>>>> That (or a similar SELinux ruleset) would actually fix the problem.
>>>>> SELinux would be better because it can also apply the rules when doing
>>>>> things like su/sudo/...  
>>>>
>>>> Just to play devil's advocate, wouldn't such a system continue to not
>>>> address your physical-console concerns? I wouldn't want to limit the
>>>
>>> It would for the cases that a whitelist and container check covers -
>>> because the whitelist wouldn't allow you to do anything but boring stuff
>>> on the tty. TIOCSTI is just one of a whole range of differently stupid
>>> and annoying opportunities. Containers do not and should not be able to
>>> set the keymap, change the video mode, use console selection, make funny
>>> beepy noises, access video I/O registers and all the other stuff like
>>> that. Nothing is going to break if we have a fairly conservative
>>> whitelist.
>>>
>>>> protection to only containers (but it's a good start), since it
>>>> wouldn't protect people not using containers that still have a
>>>> privileged TTY attached badly somewhere.
>>>
>>> How are you going to magically fix the problem. I'm not opposed to fixing
>>> the real problem but right now it appears to be a product of wishful
>>> thinking not programming. What's the piece of security code that
>>> magically discerns the fact you are running something untrusted at the
>>> other end of your tty. SELinux can do it via labelling but I don't see
>>> any generic automatic way for the kernel to magically work out when to
>>> whitelist and when not to. If there is a better magic rule than
>>> differing-namespace then provide the code.
>>>
>>> You can't just disable TIOCSTI, it has users deal with it. You can
>>> get away with disabling it for namespace crossing I think but if you do
>>> that you need to disable a pile of others.
>>>
>>> (If it breaks containers blocking TIOCSTI then we need to have a good
>>> look at algorithms for deciding when to flush the input queue on exiting
>>> a container or somesuch)
>>>
>>>> If you're talking about wholistic SELinux policy, sure, I could
>>>> imagine a wholistic fix. But for the tons of people without a
>>>> comprehensive SELinux policy, the proposed protection continues to
>>>> make sense.
>>>
>>> No it doesn't. It's completely useless unless you actually bother to
>>> address the other exploit opportunities.
>>>
>>> Right now the proposal is a hack to do 
>>>
>>> 	if (TIOCSTI && different_namespace && magic_flag)
>>>
>>
>>
>> This is not what my patch does. Mine is like:
>>
>> 	if (TIOCSTI && !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN) &&
>> 		magic_flag)
>>
>> in other words:
>> 	if (TIOCSTI && (different_owner_user_ns || !CAP_SYS_ADMIN) &&
>> 		magic_flag)
>>
>> can you specify what you mean by different_namespace? which namespace?
> 
> I think you're focusing on the wrong thing.  Your capable check (apart
> from the fact that I think I've been convinced CAP_SYS_ADMIN is wrong)
> is fine.

Can't we also have a sysctl that toggles if CAP_SYS_ADMIN is involved in
this whitelist check? Otherwise someone might leave things out of the
whitelist just because they want to use those ioctls as a privileged
process. Also restricting a privileged user from ioctls with this
whitelist approach is going to be pointless because, if the whitelist is
configurable from userspace, they will just be able to modify the
whitelist.

> 
> The key point is to not only check for TIOCSTI, but instead check for
> a whitelisted ioctl.
> 
> What would the whitelist look like?  Should configuing that be the way
> that you enable/disable, instead of the sysctl in this patchset?  So
> by default the whitelist includes all ioctls (no change), but things
> like sandboxes/sudo/container-starts can clear out the whitelist?
> 

I'm fine with moving this to an LSM that whitelists ioctls. I also want
to understand what a whitelist would like look and how you would
configure it? Does a sysctl that is a list of allowed ioctls work? I
don't want to just have a static whitelist that you can't change without
recompiling your kernel.

just running a sysctl -a on a linux box shows me one thing that looks
like a list: net.core.flow_limit_cpu_bitmap
Serge E. Hallyn June 2, 2017, 4:57 p.m. UTC | #37
Quoting Matt Brown (matt@nmatt.com):
> On 6/2/17 11:36 AM, Serge E. Hallyn wrote:
> > Quoting Matt Brown (matt@nmatt.com):
> >> On 6/1/17 5:24 PM, Alan Cox wrote:
> >>>> There's a difference between "bugs" and "security bugs". Letting
> >>>
> >>> Not really, it's merely a matter of severity of result. A non security
> >>> bug that hoses your hard disk is to anyone but security nutcases at
> >>> least as bad as a security hole.
> >>>
> >>>> security bugs continue to get exploited because we want to flush out
> >>>> bugs seems insensitive to the people getting attacked. I'd rather
> >>>> protect against a class of bug than have to endless fix each bug.
> >>>
> >>> The others are security bugs too to varying degree
> >>>
> >>>>> I'm not against doing something to protect the container folks, but that
> >>>>> something as with Android is a whitelist of ioctls. And if we need to do
> >>>>> this with a kernel hook lets do it properly.
> >>>>>
> >>>>> Remember the namespace of the tty on creation
> >>>>> If the magic security flag is set then
> >>>>>         Apply a whitelist to *any* tty ioctl call where the ns doesn't
> >>>>>                 match
> >>>>>
> >>>>> and we might as well just take the Android whitelist since they've kindly
> >>>>> built it for us all!
> >>>>>
> >>>>> In the tty layer it ends up being something around 10 lines of code and
> >>>>> some other file somewhere in security/ that's just a switch or similar
> >>>>> with the whitelisted ioctl codes in it.
> >>>>>
> >>>>> That (or a similar SELinux ruleset) would actually fix the problem.
> >>>>> SELinux would be better because it can also apply the rules when doing
> >>>>> things like su/sudo/...  
> >>>>
> >>>> Just to play devil's advocate, wouldn't such a system continue to not
> >>>> address your physical-console concerns? I wouldn't want to limit the
> >>>
> >>> It would for the cases that a whitelist and container check covers -
> >>> because the whitelist wouldn't allow you to do anything but boring stuff
> >>> on the tty. TIOCSTI is just one of a whole range of differently stupid
> >>> and annoying opportunities. Containers do not and should not be able to
> >>> set the keymap, change the video mode, use console selection, make funny
> >>> beepy noises, access video I/O registers and all the other stuff like
> >>> that. Nothing is going to break if we have a fairly conservative
> >>> whitelist.
> >>>
> >>>> protection to only containers (but it's a good start), since it
> >>>> wouldn't protect people not using containers that still have a
> >>>> privileged TTY attached badly somewhere.
> >>>
> >>> How are you going to magically fix the problem. I'm not opposed to fixing
> >>> the real problem but right now it appears to be a product of wishful
> >>> thinking not programming. What's the piece of security code that
> >>> magically discerns the fact you are running something untrusted at the
> >>> other end of your tty. SELinux can do it via labelling but I don't see
> >>> any generic automatic way for the kernel to magically work out when to
> >>> whitelist and when not to. If there is a better magic rule than
> >>> differing-namespace then provide the code.
> >>>
> >>> You can't just disable TIOCSTI, it has users deal with it. You can
> >>> get away with disabling it for namespace crossing I think but if you do
> >>> that you need to disable a pile of others.
> >>>
> >>> (If it breaks containers blocking TIOCSTI then we need to have a good
> >>> look at algorithms for deciding when to flush the input queue on exiting
> >>> a container or somesuch)
> >>>
> >>>> If you're talking about wholistic SELinux policy, sure, I could
> >>>> imagine a wholistic fix. But for the tons of people without a
> >>>> comprehensive SELinux policy, the proposed protection continues to
> >>>> make sense.
> >>>
> >>> No it doesn't. It's completely useless unless you actually bother to
> >>> address the other exploit opportunities.
> >>>
> >>> Right now the proposal is a hack to do 
> >>>
> >>> 	if (TIOCSTI && different_namespace && magic_flag)
> >>>
> >>
> >>
> >> This is not what my patch does. Mine is like:
> >>
> >> 	if (TIOCSTI && !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN) &&
> >> 		magic_flag)
> >>
> >> in other words:
> >> 	if (TIOCSTI && (different_owner_user_ns || !CAP_SYS_ADMIN) &&
> >> 		magic_flag)
> >>
> >> can you specify what you mean by different_namespace? which namespace?
> > 
> > I think you're focusing on the wrong thing.  Your capable check (apart
> > from the fact that I think I've been convinced CAP_SYS_ADMIN is wrong)
> > is fine.
> 

I'm cc:ing linux-api here because really we're designing an interesting
API.

> Can't we also have a sysctl that toggles if CAP_SYS_ADMIN is involved in
> this whitelist check?  Otherwise someone might leave things out of the
> whitelist just because they want to use those ioctls as a privileged
> process.

I'm not quite sure what you're asking for here.  Let me offer a precise
strawman design.  I'm sure there are problems with it, it's just a starting
point.

system-wide whitelist (for now 'may_push_chars') is full by default.

By default, nothing changes - you can use those on your own tty, need
CAP_SYS_ADMIN against init_user_ns otherwise.

Introduce a new CAP_TTY_PRIVILEGED.

When may_push_chars is removed from the whitelist, you lose the ability
to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED
against the tty's user_ns.

>  Also restricting a privileged user from ioctls with this
> whitelist approach is going to be pointless because, if the whitelist is
> configurable from userspace, they will just be able to modify the
> whitelist.
> 
> > 
> > The key point is to not only check for TIOCSTI, but instead check for
> > a whitelisted ioctl.
> > 
> > What would the whitelist look like?  Should configuing that be the way
> > that you enable/disable, instead of the sysctl in this patchset?  So
> > by default the whitelist includes all ioctls (no change), but things
> > like sandboxes/sudo/container-starts can clear out the whitelist?
> > 
> 
> I'm fine with moving this to an LSM that whitelists ioctls. I also want

Right -  what else would go into the whitelist?  may_mmap?

> to understand what a whitelist would like look and how you would
> configure it? Does a sysctl that is a list of allowed ioctls work? I
> don't want to just have a static whitelist that you can't change without
> recompiling your kernel.
> 
> just running a sysctl -a on a linux box shows me one thing that looks
> like a list: net.core.flow_limit_cpu_bitmap
Matt Brown June 2, 2017, 5:32 p.m. UTC | #38
On 6/2/17 12:57 PM, Serge E. Hallyn wrote:
> Quoting Matt Brown (matt@nmatt.com):
>> On 6/2/17 11:36 AM, Serge E. Hallyn wrote:
>>> Quoting Matt Brown (matt@nmatt.com):
>>>> On 6/1/17 5:24 PM, Alan Cox wrote:
>>>>>> There's a difference between "bugs" and "security bugs". Letting
>>>>>
>>>>> Not really, it's merely a matter of severity of result. A non security
>>>>> bug that hoses your hard disk is to anyone but security nutcases at
>>>>> least as bad as a security hole.
>>>>>
>>>>>> security bugs continue to get exploited because we want to flush out
>>>>>> bugs seems insensitive to the people getting attacked. I'd rather
>>>>>> protect against a class of bug than have to endless fix each bug.
>>>>>
>>>>> The others are security bugs too to varying degree
>>>>>
>>>>>>> I'm not against doing something to protect the container folks, but that
>>>>>>> something as with Android is a whitelist of ioctls. And if we need to do
>>>>>>> this with a kernel hook lets do it properly.
>>>>>>>
>>>>>>> Remember the namespace of the tty on creation
>>>>>>> If the magic security flag is set then
>>>>>>>         Apply a whitelist to *any* tty ioctl call where the ns doesn't
>>>>>>>                 match
>>>>>>>
>>>>>>> and we might as well just take the Android whitelist since they've kindly
>>>>>>> built it for us all!
>>>>>>>
>>>>>>> In the tty layer it ends up being something around 10 lines of code and
>>>>>>> some other file somewhere in security/ that's just a switch or similar
>>>>>>> with the whitelisted ioctl codes in it.
>>>>>>>
>>>>>>> That (or a similar SELinux ruleset) would actually fix the problem.
>>>>>>> SELinux would be better because it can also apply the rules when doing
>>>>>>> things like su/sudo/...  
>>>>>>
>>>>>> Just to play devil's advocate, wouldn't such a system continue to not
>>>>>> address your physical-console concerns? I wouldn't want to limit the
>>>>>
>>>>> It would for the cases that a whitelist and container check covers -
>>>>> because the whitelist wouldn't allow you to do anything but boring stuff
>>>>> on the tty. TIOCSTI is just one of a whole range of differently stupid
>>>>> and annoying opportunities. Containers do not and should not be able to
>>>>> set the keymap, change the video mode, use console selection, make funny
>>>>> beepy noises, access video I/O registers and all the other stuff like
>>>>> that. Nothing is going to break if we have a fairly conservative
>>>>> whitelist.
>>>>>
>>>>>> protection to only containers (but it's a good start), since it
>>>>>> wouldn't protect people not using containers that still have a
>>>>>> privileged TTY attached badly somewhere.
>>>>>
>>>>> How are you going to magically fix the problem. I'm not opposed to fixing
>>>>> the real problem but right now it appears to be a product of wishful
>>>>> thinking not programming. What's the piece of security code that
>>>>> magically discerns the fact you are running something untrusted at the
>>>>> other end of your tty. SELinux can do it via labelling but I don't see
>>>>> any generic automatic way for the kernel to magically work out when to
>>>>> whitelist and when not to. If there is a better magic rule than
>>>>> differing-namespace then provide the code.
>>>>>
>>>>> You can't just disable TIOCSTI, it has users deal with it. You can
>>>>> get away with disabling it for namespace crossing I think but if you do
>>>>> that you need to disable a pile of others.
>>>>>
>>>>> (If it breaks containers blocking TIOCSTI then we need to have a good
>>>>> look at algorithms for deciding when to flush the input queue on exiting
>>>>> a container or somesuch)
>>>>>
>>>>>> If you're talking about wholistic SELinux policy, sure, I could
>>>>>> imagine a wholistic fix. But for the tons of people without a
>>>>>> comprehensive SELinux policy, the proposed protection continues to
>>>>>> make sense.
>>>>>
>>>>> No it doesn't. It's completely useless unless you actually bother to
>>>>> address the other exploit opportunities.
>>>>>
>>>>> Right now the proposal is a hack to do 
>>>>>
>>>>> 	if (TIOCSTI && different_namespace && magic_flag)
>>>>>
>>>>
>>>>
>>>> This is not what my patch does. Mine is like:
>>>>
>>>> 	if (TIOCSTI && !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN) &&
>>>> 		magic_flag)
>>>>
>>>> in other words:
>>>> 	if (TIOCSTI && (different_owner_user_ns || !CAP_SYS_ADMIN) &&
>>>> 		magic_flag)
>>>>
>>>> can you specify what you mean by different_namespace? which namespace?
>>>
>>> I think you're focusing on the wrong thing.  Your capable check (apart
>>> from the fact that I think I've been convinced CAP_SYS_ADMIN is wrong)
>>> is fine.
>>
> 
> I'm cc:ing linux-api here because really we're designing an interesting
> API.
> 
>> Can't we also have a sysctl that toggles if CAP_SYS_ADMIN is involved in
>> this whitelist check?  Otherwise someone might leave things out of the
>> whitelist just because they want to use those ioctls as a privileged
>> process.
> 
> I'm not quite sure what you're asking for here.  Let me offer a precise
> strawman design.  I'm sure there are problems with it, it's just a starting
> point.
> 
> system-wide whitelist (for now 'may_push_chars') is full by default.
> 

So is may_push_chars just an alias for TIOCSTI? Or are there some
potential whitelist members that would map to multiple ioctls?

> By default, nothing changes - you can use those on your own tty, need
> CAP_SYS_ADMIN against init_user_ns otherwise.
> 
> Introduce a new CAP_TTY_PRIVILEGED.
> 

I'm fine with this.

> When may_push_chars is removed from the whitelist, you lose the ability
> to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED
> against the tty's user_ns.
> 

How do you propose storing/updating the whitelist? sysctl?

If it is a sysctl, would each whitelist member have a sysctl?
e.g.: kernel.ioctlwhitelist.may_push_chars = 1

Overall, I'm fine with this idea.

>>  Also restricting a privileged user from ioctls with this
>> whitelist approach is going to be pointless because, if the whitelist is
>> configurable from userspace, they will just be able to modify the
>> whitelist.
>>
>>>
>>> The key point is to not only check for TIOCSTI, but instead check for
>>> a whitelisted ioctl.
>>>
>>> What would the whitelist look like?  Should configuing that be the way
>>> that you enable/disable, instead of the sysctl in this patchset?  So
>>> by default the whitelist includes all ioctls (no change), but things
>>> like sandboxes/sudo/container-starts can clear out the whitelist?
>>>
>>
>> I'm fine with moving this to an LSM that whitelists ioctls. I also want
> 
> Right -  what else would go into the whitelist?  may_mmap?
> 
>> to understand what a whitelist would like look and how you would
>> configure it? Does a sysctl that is a list of allowed ioctls work? I
>> don't want to just have a static whitelist that you can't change without
>> recompiling your kernel.
>>
>> just running a sysctl -a on a linux box shows me one thing that looks
>> like a list: net.core.flow_limit_cpu_bitmap
Serge E. Hallyn June 2, 2017, 6:18 p.m. UTC | #39
Quoting Matt Brown (matt@nmatt.com):
> On 6/2/17 12:57 PM, Serge E. Hallyn wrote:
> > I'm not quite sure what you're asking for here.  Let me offer a precise
> > strawman design.  I'm sure there are problems with it, it's just a starting
> > point.
> > 
> > system-wide whitelist (for now 'may_push_chars') is full by default.
> > 
> 
> So is may_push_chars just an alias for TIOCSTI? Or are there some
> potential whitelist members that would map to multiple ioctls?

<shrug>  I'm seeing it as only TIOCSTI right now.

> > By default, nothing changes - you can use those on your own tty, need
> > CAP_SYS_ADMIN against init_user_ns otherwise.
> > 
> > Introduce a new CAP_TTY_PRIVILEGED.
> > 
> 
> I'm fine with this.
> 
> > When may_push_chars is removed from the whitelist, you lose the ability
> > to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED
> > against the tty's user_ns.
> > 
> 
> How do you propose storing/updating the whitelist? sysctl?
> 
> If it is a sysctl, would each whitelist member have a sysctl?
> e.g.: kernel.ioctlwhitelist.may_push_chars = 1
> 
> Overall, I'm fine with this idea.

That sounds reasonable.  Or a securityfs file - I guess not everyone
has securityfs, but if it were to become part of YAMA then that would
work.

-serge
Kees Cook June 2, 2017, 6:46 p.m. UTC | #40
On Thu, Jun 1, 2017 at 3:56 PM, James Morris <jmorris@namei.org> wrote:
> On Thu, 1 Jun 2017, Kees Cook wrote:
>
>> All of the reasoning here seems to match the link restrictions from 5
>> years ago: a crappy API (sticky bit) is not handled by userspace (open
>> /tmp/$$!) and people get attacked. The solution was a sysctl to enable
>> the link restrictions that killed the entire class of the common
>> attack (though it didn't solve especially egregious bad uses, much
>
> This is the problem -- it doesn't really eliminate the underlying issue.
>
> A better solution (in this case) was to implement a new API which
> addresses the issue at an architectural level, i.e. namespace-based
> private /tmp views, and encourage its adoption.

I think this is a frequent mistake in evaluating how to kill bug
classes: there doesn't have to be only one solution, especially when
there are downsides to be dealt with. In the link restriction case,
the VFS solution immediately solved the vast majority of issues
without breaking any applications. The private /tmp takes time to roll
out, and breaks the shared /tmp way of doing things that some tools
use to share files, etc. So the private /tmp solves more of the
problem (eliminates link attacks in subdirectories of /tmp), but
breaks real use-cases. And ultimately, there is nothing incompatible
about the solutions, so both could (and were) pursued.

>> like the TIOCSTI fix). Every distro enabled the sysctl, and, while the
>> data is noisy, looking a CVEs matching "/tmp symlink", the numbers
>> drop from 2013 and later (with none yet for 2017).
>
> I wonder how much of this is due to the sysctl vs. adoption of private
> /tmp, and what may be lurking in the "egregious bad uses" category for
> future CVEs.  And obviously we don't know what various folk may have up
> their sleeves, if anything.

Private /tmp is still somewhat less common, the VFS changes were
rolled out almost universally, so, if the numbers can be trusted at
all, I would assume it's the VFS changes. That said, CVE numbers tend
to fluctuate based on researcher interest, rather than being a true
measure of real-world problems. The anecdata I have while at Ubuntu
was having people complain about getting owned by /tmp symlink ToCToU
from time to time on the Ubuntu security IRC channel, and after Ubuntu
rolled out the VFS changes, that dropped to zero in all the years
since.

So, I guess, my point is that there are always multiple solutions that
come with various benefits and downsides, and when there isn't a
perfect solution, imperfect solutions that make real-world changes on
attack surface are worth pursuing, even in parallel. Perfection
shouldn't be the enemy of the good. (Perfection is preferred, but it's
not usuallyt pragmatically possible.)

-Kees
Matt Brown June 2, 2017, 7:22 p.m. UTC | #41
On 6/2/17 2:18 PM, Serge E. Hallyn wrote:
> Quoting Matt Brown (matt@nmatt.com):
>> On 6/2/17 12:57 PM, Serge E. Hallyn wrote:
>>> I'm not quite sure what you're asking for here.  Let me offer a precise
>>> strawman design.  I'm sure there are problems with it, it's just a starting
>>> point.
>>>
>>> system-wide whitelist (for now 'may_push_chars') is full by default.
>>>
>>
>> So is may_push_chars just an alias for TIOCSTI? Or are there some
>> potential whitelist members that would map to multiple ioctls?
> 
> <shrug>  I'm seeing it as only TIOCSTI right now.
> 
>>> By default, nothing changes - you can use those on your own tty, need
>>> CAP_SYS_ADMIN against init_user_ns otherwise.
>>>
>>> Introduce a new CAP_TTY_PRIVILEGED.
>>>
>>
>> I'm fine with this.
>>
>>> When may_push_chars is removed from the whitelist, you lose the ability
>>> to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED
>>> against the tty's user_ns.
>>>
>>
>> How do you propose storing/updating the whitelist? sysctl?
>>
>> If it is a sysctl, would each whitelist member have a sysctl?
>> e.g.: kernel.ioctlwhitelist.may_push_chars = 1
>>
>> Overall, I'm fine with this idea.
> 
> That sounds reasonable.  Or a securityfs file - I guess not everyone
> has securityfs, but if it were to become part of YAMA then that would
> work.
> 

Yama doesn't depend on securityfs does it?

What do other people think? Should this be an addition to YAMA or its
own thing?

Alan Cox: what do you think of the above ioctl whitelisting scheme?
Kees Cook June 2, 2017, 7:25 p.m. UTC | #42
On Fri, Jun 2, 2017 at 12:22 PM, Matt Brown <matt@nmatt.com> wrote:
> On 6/2/17 2:18 PM, Serge E. Hallyn wrote:
>> Quoting Matt Brown (matt@nmatt.com):
>>> On 6/2/17 12:57 PM, Serge E. Hallyn wrote:
>>>> I'm not quite sure what you're asking for here.  Let me offer a precise
>>>> strawman design.  I'm sure there are problems with it, it's just a starting
>>>> point.
>>>>
>>>> system-wide whitelist (for now 'may_push_chars') is full by default.
>>>>
>>>
>>> So is may_push_chars just an alias for TIOCSTI? Or are there some
>>> potential whitelist members that would map to multiple ioctls?
>>
>> <shrug>  I'm seeing it as only TIOCSTI right now.
>>
>>>> By default, nothing changes - you can use those on your own tty, need
>>>> CAP_SYS_ADMIN against init_user_ns otherwise.
>>>>
>>>> Introduce a new CAP_TTY_PRIVILEGED.
>>>>
>>>
>>> I'm fine with this.
>>>
>>>> When may_push_chars is removed from the whitelist, you lose the ability
>>>> to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED
>>>> against the tty's user_ns.
>>>>
>>>
>>> How do you propose storing/updating the whitelist? sysctl?
>>>
>>> If it is a sysctl, would each whitelist member have a sysctl?
>>> e.g.: kernel.ioctlwhitelist.may_push_chars = 1
>>>
>>> Overall, I'm fine with this idea.
>>
>> That sounds reasonable.  Or a securityfs file - I guess not everyone
>> has securityfs, but if it were to become part of YAMA then that would
>> work.
>>
>
> Yama doesn't depend on securityfs does it?
>
> What do other people think? Should this be an addition to YAMA or its
> own thing?
>
> Alan Cox: what do you think of the above ioctl whitelisting scheme?

It's easy to stack LSMs, so since Yama is ptrace-focused, perhaps make
a separate one for TTY hardening?

-Kees
Matt Brown June 2, 2017, 7:26 p.m. UTC | #43
On 6/2/17 3:25 PM, Kees Cook wrote:
> On Fri, Jun 2, 2017 at 12:22 PM, Matt Brown <matt@nmatt.com> wrote:
>> On 6/2/17 2:18 PM, Serge E. Hallyn wrote:
>>> Quoting Matt Brown (matt@nmatt.com):
>>>> On 6/2/17 12:57 PM, Serge E. Hallyn wrote:
>>>>> I'm not quite sure what you're asking for here.  Let me offer a precise
>>>>> strawman design.  I'm sure there are problems with it, it's just a starting
>>>>> point.
>>>>>
>>>>> system-wide whitelist (for now 'may_push_chars') is full by default.
>>>>>
>>>>
>>>> So is may_push_chars just an alias for TIOCSTI? Or are there some
>>>> potential whitelist members that would map to multiple ioctls?
>>>
>>> <shrug>  I'm seeing it as only TIOCSTI right now.
>>>
>>>>> By default, nothing changes - you can use those on your own tty, need
>>>>> CAP_SYS_ADMIN against init_user_ns otherwise.
>>>>>
>>>>> Introduce a new CAP_TTY_PRIVILEGED.
>>>>>
>>>>
>>>> I'm fine with this.
>>>>
>>>>> When may_push_chars is removed from the whitelist, you lose the ability
>>>>> to use TIOCSTI on a tty - even your own - if you do not have CAP_TTY_PRIVILEGED
>>>>> against the tty's user_ns.
>>>>>
>>>>
>>>> How do you propose storing/updating the whitelist? sysctl?
>>>>
>>>> If it is a sysctl, would each whitelist member have a sysctl?
>>>> e.g.: kernel.ioctlwhitelist.may_push_chars = 1
>>>>
>>>> Overall, I'm fine with this idea.
>>>
>>> That sounds reasonable.  Or a securityfs file - I guess not everyone
>>> has securityfs, but if it were to become part of YAMA then that would
>>> work.
>>>
>>
>> Yama doesn't depend on securityfs does it?
>>
>> What do other people think? Should this be an addition to YAMA or its
>> own thing?
>>
>> Alan Cox: what do you think of the above ioctl whitelisting scheme?
> 
> It's easy to stack LSMs, so since Yama is ptrace-focused, perhaps make
> a separate one for TTY hardening?
> 

Sounds good. I also like the idea of them being separate.

Matt Brown
Alan Cox June 2, 2017, 8:05 p.m. UTC | #44
> Can't we also have a sysctl that toggles if CAP_SYS_ADMIN is involved in
> this whitelist check? Otherwise someone might leave things out of the
> whitelist just because they want to use those ioctls as a privileged
> process. Also restricting a privileged user from ioctls with this
> whitelist approach is going to be pointless because, if the whitelist is
> configurable from userspace, they will just be able to modify the
> whitelist.

Something like CAP_SYS_ADMIN is fine if you must have it configurable on
the grounds that CAP_SYS_ADMIN will let you override the list anyway.

> I'm fine with moving this to an LSM that whitelists ioctls. I also want
> to understand what a whitelist would like look and how you would
> configure it? Does a sysctl that is a list of allowed ioctls work? I
> don't want to just have a static whitelist that you can't change without
> recompiling your kernel.

That's odd because your previous argument was for a fixed one entry
whitelist containing TIOCSTI 8)

The list can probably be fixed. IMHO those wanting to do cleverer stuff
sre inevitably going to end up using a "grown up" LSM for the job because

a) they'll want to shape things like su not just containers
b) they will have cases where you want to lock down cleverly - eg you can
disable TIOCSTI use except by certain apps, and make those apps non
ptraceable so only existing real users of it can continue to use it.

For the whitelist you want most of the standard tty ioctls, but none of
the device specific ones, none of the hardware configuration ones, no
TIOCSTI, no selection, no line discipline change (or you can set a
network ldisc or various other evil and fascinating things).

I really think that for container type uses the whitelist can be fairly
clearly defined because we know a container isn't supposed to be screwing
with the hardware of the parent, configuring network interfaces or
pushing data to trip people up.

If we are prepared to accept nuisance attacks (messing up baud rate,
hangup, etc) then it's fairly easy to fix.

So I'd say it's all the generic tty ioctls except TIOCSTI and TIOCSETD
but it would be good to see what Android is going with and why.

You can still do some typeback stuff even then because the consoles and
terminals have ranges of query and requests you can trigger. As you can
use termios to absorb some symbols in the reply and map which one to use
for newline you can even type stuff. However it's very limited - hex
digits, [, c and some other oddments. People have looked hard at that and
I've yet to see a successful attack. Yes I can make you run test (aka
'[') but I've yet to see a way to use it for anything.

Alan
Nick Kralevich June 2, 2017, 8:11 p.m. UTC | #45
On Fri, Jun 2, 2017 at 1:05 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
> So I'd say it's all the generic tty ioctls except TIOCSTI and TIOCSETD
> but it would be good to see what Android is going with and why.

Android limits tty ioctls to the following whitelist:
  TIOCOUTQ
  FIOCLEX
  TCGETS
  TCSETS
  TIOCGWINSZ
  TIOCSWINSZ
  TIOCSCTTY
  TCSETSW
  TCFLSH
  TIOCSPGRP
  TIOCGPGRP

See unpriv_tty_ioctls at
https://android.googlesource.com/platform/system/sepolicy/+/34b4b73729b288b4109b2225c1445eb58393b8cb/public/ioctl_macros#51
Matt Brown June 2, 2017, 8:46 p.m. UTC | #46
On 6/2/17 4:05 PM, Alan Cox wrote:
>> Can't we also have a sysctl that toggles if CAP_SYS_ADMIN is involved in
>> this whitelist check? Otherwise someone might leave things out of the
>> whitelist just because they want to use those ioctls as a privileged
>> process. Also restricting a privileged user from ioctls with this
>> whitelist approach is going to be pointless because, if the whitelist is
>> configurable from userspace, they will just be able to modify the
>> whitelist.
> 
> Something like CAP_SYS_ADMIN is fine if you must have it configurable on
> the grounds that CAP_SYS_ADMIN will let you override the list anyway.
> 
>> I'm fine with moving this to an LSM that whitelists ioctls. I also want
>> to understand what a whitelist would like look and how you would
>> configure it? Does a sysctl that is a list of allowed ioctls work? I
>> don't want to just have a static whitelist that you can't change without
>> recompiling your kernel.
> 
> That's odd because your previous argument was for a fixed one entry
> whitelist containing TIOCSTI 8)
> 

I just take some convincing that's all ;)

> The list can probably be fixed. IMHO those wanting to do cleverer stuff
> sre inevitably going to end up using a "grown up" LSM for the job because
> 

I really want it to be more flexible if we are making this into a full
blown LSM. From drivers/tty/tty_ioctl.c I gather the following tty
ioctls:

TCGETA
TCGETS
TCGETS2
TCGETX
TCSETA
TCSETAF
TCSETAW
TCSETS
TCSETS2
TCSETSF
TCSETSF2
TCSETSW
TCSETSW2
TCSETX
TCSETXF
TCSETXW
TIOCGETC
TIOCGETP
TIOCGLCKTRMIOS
TIOCGLTC
TIOCGSOFTCAR
TIOCSETC
TIOCSETN
TIOCSETP
TIOCSLCKTRMIOS
TIOCSLTC
TIOCSSOFTCAR

would it be overkill to have a sysctl kernel.ttyioctlwhitelist.X where X
is one of the ioctls above?

(definitely will work on a better name than ttyioctlwhitelist)


> a) they'll want to shape things like su not just containers
> b) they will have cases where you want to lock down cleverly - eg you can
> disable TIOCSTI use except by certain apps, and make those apps non
> ptraceable so only existing real users of it can continue to use it.

I agree. When you have those kinds of requirements, a MAC is required.

> 
> For the whitelist you want most of the standard tty ioctls, but none of
> the device specific ones, none of the hardware configuration ones, no
> TIOCSTI, no selection, no line discipline change (or you can set a
> network ldisc or various other evil and fascinating things).
> 
> I really think that for container type uses the whitelist can be fairly
> clearly defined because we know a container isn't supposed to be screwing
> with the hardware of the parent, configuring network interfaces or
> pushing data to trip people up.
> 
> If we are prepared to accept nuisance attacks (messing up baud rate,
> hangup, etc) then it's fairly easy to fix.
> 
> So I'd say it's all the generic tty ioctls except TIOCSTI and TIOCSETD
> but it would be good to see what Android is going with and why.
> 
> You can still do some typeback stuff even then because the consoles and
> terminals have ranges of query and requests you can trigger. As you can
> use termios to absorb some symbols in the reply and map which one to use
> for newline you can even type stuff. However it's very limited - hex
> digits, [, c and some other oddments. People have looked hard at that and
> I've yet to see a successful attack. Yes I can make you run test (aka
> '[') but I've yet to see a way to use it for anything.
> 
> Alan
>
Alan Cox June 3, 2017, 10 p.m. UTC | #47
> TIOCSLCKTRMIOS

That one I'm more dubious about

> TIOCSLTC
> TIOCSSOFTCAR

tty_io.c also has a few and n_tty has a couple we'd want.

> 
> would it be overkill to have a sysctl kernel.ttyioctlwhitelist.X where X
> is one of the ioctls above?

Why would anyone want to change the entries on that list

Alan
Matt Brown June 3, 2017, 10:22 p.m. UTC | #48
On 06/03/2017 06:00 PM, Alan Cox wrote:
>> TIOCSLCKTRMIOS
>
> That one I'm more dubious about
>
>> TIOCSLTC
>> TIOCSSOFTCAR
>
> tty_io.c also has a few and n_tty has a couple we'd want.
>
>>
>> would it be overkill to have a sysctl kernel.ttyioctlwhitelist.X where X
>> is one of the ioctls above?
>
> Why would anyone want to change the entries on that list
>

Did you see Serge's proposed solution? I want us to not be talking past
each other. Serge proposed the following:

| By default, nothing changes - you can use those on your own tty, need
| CAP_SYS_ADMIN against init_user_ns otherwise.
|
| Introduce a new CAP_TTY_PRIVILEGED.
|
| When may_push_chars is removed from the whitelist, you lose the
| ability to use TIOCSTI on a tty - even your own - if you do not have
| CAP_TTY_PRIVILEGED against the tty's user_ns.

The question is how do you add/remove something from this whitelist? I
assume by add/remove we don't mean that you have to recompile your
kernel to change the whitelist!

you earlier said you wanted the check to look like this:

| if (!whitelisted(ioctl) && different_namespace && magic_flag)

I want to know which namespace you are talking about here. Did you mean
user_namespace? (the namespace I added tracking for in the tty_struct)
Peter Dolding June 4, 2017, 3:37 a.m. UTC | #49
On Sun, Jun 4, 2017 at 8:22 AM, Matt Brown <matt@nmatt.com> wrote:
> On 06/03/2017 06:00 PM, Alan Cox wrote:
>>>
>>> TIOCSLCKTRMIOS
>>
>>
>> That one I'm more dubious about
>>
>>> TIOCSLTC
>>> TIOCSSOFTCAR
>>
>>
>> tty_io.c also has a few and n_tty has a couple we'd want.
>>
>>>
>>> would it be overkill to have a sysctl kernel.ttyioctlwhitelist.X where X
>>> is one of the ioctls above?
>>
>>
>> Why would anyone want to change the entries on that list
>>
>
> Did you see Serge's proposed solution? I want us to not be talking past
> each other. Serge proposed the following:
>
> | By default, nothing changes - you can use those on your own tty, need
> | CAP_SYS_ADMIN against init_user_ns otherwise.
> |
> | Introduce a new CAP_TTY_PRIVILEGED.
> |
> | When may_push_chars is removed from the whitelist, you lose the
> | ability to use TIOCSTI on a tty - even your own - if you do not have
> | CAP_TTY_PRIVILEGED against the tty's user_ns.
>
> The question is how do you add/remove something from this whitelist? I
> assume by add/remove we don't mean that you have to recompile your
> kernel to change the whitelist!
>
> you earlier said you wanted the check to look like this:
>
> | if (!whitelisted(ioctl) && different_namespace && magic_flag)
>
> I want to know which namespace you are talking about here. Did you mean
> user_namespace? (the namespace I added tracking for in the tty_struct)

There are many ways to attempt to cure this problem.     They some
that are just wrong.

Pushing stuff up to CAP_SYS_ADMIN is fairly much always wrong.

Using a whitelisted solution does have a downside but to use some
application that use TIOCSTI safely I have not had to push application
to CAP_SYS_ADMIN.

Another question due to the way the exploit work a broken TIOCSTI
where push back could be something someone as CAP_SYS_ADMIN run.

What I don't know if yet set when ever an application used TIOCSTI to
push back chars back into input that this would set input to be
flushed on tty disconnect or application termination would this break
any applications.

So it may be possible to allow applications to freely use TIOCSTI just
make sure that anything an application has pushed back into input
buffer cannot get to anything else.

The thing to remember is most times when applications are controlling
other applications they are not pushing data backwards on input..

Question I have is what is valid usage cases of TIOCSTI.   Thinking
grscecurity got away with pushing this up to CAP_SYS_ADMIN there may
not be many.

If there is no valid usage of TIOCSTI across applications there is no
reason why TIOCSTI cannot be setup to automatically trigger input
flushs to prevent TIOCSTI inserted data getting anywhere.
.
This could be like X11 and it huge number of features where large
number were found that no one ever used just was created that way
because it was though like it would be useful.

My problem here is TIOCSTI might not need a flag at all.   TIOCSTI
functionality maybe in need of limitations particularly if TIOCSTI
push back into input cross from one application to the next has no
genuine application usage.

So far no one has started that exploited TIOCSTI functionality exists
in any genuine application as expected functionality.   I cannot find
example of where pushing back into input then going to background or
dieing/exiting and having that pushed back input processed is done by
any genuine application as expected functionality.   That is something
that could be limited if there is no genuine users and close the door
without having to modify existing applications that don't expect to-do
that.

Its really simple to get focused in on quick fix to problems without
asking is the behaviour even required.

Peter Dolding
Boris Lukashev June 4, 2017, 6:29 a.m. UTC | #50
On Mon, May 29, 2017 at 8:27 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 5/29/2017 4:51 PM, Boris Lukashev wrote:
>> With all due respect sir, i believe your review falls short of the
>> purpose of this effort - to harden the kernel against flaws in
>> userspace. Comments along the line of "if <userspace> does it right
>> then your patch is pointless" are not relevant to the context of
>> securing kernel functions/interfaces. What userspace should do has
>> little bearing on defensive measures actually implemented in the
>> kernel - if we took the approach of "someone else is responsible for
>> that" in military operations, the world would be a much darker and
>> different place today. Those who have the luxury of standoff from the
>> critical impacts of security vulnerabilities may not take into account
>> the fact that peoples lives literally depend on Linux getting a lot
>> more secure, and quickly.
>
> You are not going to help anyone with a kernel configuration that
> breaks agetty, csh, xemacs and tcsh. The opportunities for using
> such a configuration are limited.
>

First off, thank you for the clear and rational responses - newbie
status in these upstreaming/kernel matters has a bit of a steep
learning curve.
I would however, have to disagree with the above in that there is a
very large number of purpose built Linux systems in play, home routers
being a good example, which effectively retain the same security
posture over their lifetime in an increasingly hostile operating
environment. Mitigation at every tier of the attack cycle is desirable
as a  (configurable) default such as to at least reduce the impact of
compromise (they may leak memory containing the admin cred  for the
web ui via some protocol error, but dont get shells, local privs, and
raw device access). Then there are all the servers out there which
would benefit from this, as they dont use those components but do
expose TTYs to dangerous consumers, and even the workstations in a
similar boat where they dont depend on faulty consumers but are
operated by faulty users. Devil's in the details right? Ideally, if
properly designed with input from greybeards, faults can be mostly
nullified and edge cases addressed with adjacent maintainers.

>> If this work were not valuable, it wouldnt be an enabled kernel option
>> on a massive number of kernels with attack surfaces reduced by the
>> compound protections offered by the grsec patch set.
>
> I'll bet you a beverage that 99-44/100% of the people who have
> this enabled have no clue that it's even there. And if they did,
> most of them would turn it off.
>

Wouldn't dream of taking that bet - the vast majority of Linux users
dont even know they're Linux users :). Disagree with the latter part
though, the majority of people rely on the appropriate organs of
society (military, police, security-focused devs) to provide for their
safety; they not only take for granted but largely abide by the
constraints placed by those in the know such as to ensure that safety.
A cynical example being that you may not know exactly what the stuff
in that hazmat-labled container will do to you (may make you into
Wolverine, or melt your bones), but you're not likely to open it and
take a sip - you trust the people who sealed it to know enough of the
details to have made that decision. Implementing changes like this
(properly scoped and implemented, as the refinement process seems to
be doing) makes a lot of sense top-down as it forces consumers to do
things the right way instead of waiting for them before adopting a
useful function.

>> I can't speak for
>> the grsec people, but having read a small fraction of the commentary
>> around the subject of mainline integration, it seems to me that NAKs
>> like this are exactly why they had no interest in even trying - this
>> review is based on the cultural views of the kernel community, not on
>> the security benefits offered by the work in the current state of
>> affairs (where userspace is broken).
>
> A security clamp-down that breaks important stuff is going
> to have a tough row to hoe going upstream. Same with a performance
> enhancement that breaks things.
>

Back to the newbie status bit, i've read and heard (in varying degrees
of satisfaction and frustration) that upstream makes it hard to adopt
significant changes as a culture. Obviously there are practical
concerns around compatibility, but there must be some avenue to have a
clear and rational discussion with Olympus about inducing a well
planned and short period of churn to affect changes which will greatly
extend the iconic notion of systems running stable and safe for years
at a time...
In practical terms, distributions ship tons of patches for kernel bugs
faster than you can reload a blunderbuss. While that is good practice,
and should continue, it results in constant operating efforts on the
parts of the consumer having to "manage their updates" since the bug
isn't restricted in access vectors or efficacy by a global defensive
measure, but requires direct patching to mitigate. Compliance beholden
systems, which tend to be in the critical path, suffer obligatory
burdens from the status quo - find me a hospital IT security manager
who hasn't thought of running (himself or his boss) head first through
his office window since the start of the quarter, and i'll betcha he
started work Friday.
A "security clamp-down" would be great if it were well coordinated
with the ecosystem such as to have bugs found by compile-time
approaches immediately addressed by their owning maintainers, quickly
spread use of read-only and randomized structures, memory allocations,
or whatever other defenses are implemented at the core/LSM
infrastructure tiers. Once the large changes are in, things go back to
business-as-usual, but without the ops engineers being restricted to
eating with dull plastic spoons.

>> The purpose of each of these
>> protections (being ported over from grsec) is not to offer carte
>> blanche defense against all attackers and vectors, but to prevent
>> specific classes of bugs from reducing the security posture of the
>> system. By implementing these defenses in a layered manner we can
>> significantly reduce our kernel attack surface.
>
> Sure, but they have to work right. That's an important reason to do
> small changes. A change that isn't acceptable can be rejected without
> slowing the general progress.
>

Understood and agreed - getting the right scope and constraints for
the job is imperative for proper design and implementation of the
solution. As i'm reading the evolution of this thread i'm learning how
submissions evolve to fit the needs defined by members. Sort of rare
to see a process involving multiple participants these days which
hasn't devolved into a sandy goat-roping procedure.

>> Once userspace catches
>> up and does things the right way, and has no capacity for doing them
>> the wrong way (aka, nothing attackers can use to bypass the proper
>> userspace behavior), then the functionality really does become
>> pointless, and can then be removed.
>
> Well, until someone comes along with yet another spiffy feature
> like containers and breaks it again. This is why a really good
> solution is required, and the one proposed isn't up to snuff.
>
>> >From a practical perspective, can alternative solutions be offered
>> along with NAKs?
>
> They often are, but let's face it, not everyone has the time,
> desire and/or expertise to solve every problem that comes up.
>
>> Killing things on the vine isnt great, and if a
>> security measure is being denied, upstream should provide their
>> solution to how they want to address the problem (or just an outline
>> to guide the hardened folks).
>
> The impact of a "security measure" can exceed the value provided.
> That is, I understand, the basis of the NAK. We need to be careful
> to keep in mind that, until such time as there is substantial interest
> in the sort of systemic changes that truly remove this class of issue,
> we're going to have to justify the risk/reward trade off when we try
> to introduce a change.
>

Here i again, have to respectfully disagree. Waiting on "significant
interest" to patch their workstations and servers is what got a chunk
of the world looking for backups and coughing up bitcoins recently. If
there is a viable threat model, it should be addressed proactively, as
opposed to potential operating bugs which are shaken out in the course
of ops (which is how i understand current triage to work for bugs -
once its found, not potentially because conditions could create it).
Security as an afterthought can be seen as a form of complacency, and
as we've all read - "complacency kills."

>>
>> On Mon, May 29, 2017 at 6:26 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>>> On Mon, 29 May 2017 17:38:00 -0400
>>> Matt Brown <matt@nmatt.com> wrote:
>>>
>>>> This introduces the tiocsti_restrict sysctl, whose default is controlled
>>>> via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control
>>>> restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users.
>>> Which is really quite pointless as I keep pointing out and you keep
>>> reposting this nonsense.
>>>
>>>> This patch depends on patch 1/2
>>>>
>>>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>>>
>>>> This patch would have prevented
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following
>>>> conditions:
>>>> * non-privileged container
>>>> * container run inside new user namespace
>>> And assuming no other ioctl could be used in an attack. Only there are
>>> rather a lot of ways an app with access to a tty can cause mischief if
>>> it's the same controlling tty as the higher privileged context that
>>> launched it.
>>>
>>> Properly written code allocates a new pty/tty pair for the lower
>>> privileged session. If the code doesn't do that then your change merely
>>> modifies the degree of mayhem it can cause. If it does it right then your
>>> patch is pointless.
>>>
>>>> Possible effects on userland:
>>>>
>>>> There could be a few user programs that would be effected by this
>>>> change.
>>> In other words, it's yet another weird config option that breaks stuff.
>>>
>>>
>>> NAK v7.
>>>
>>> Alan
>>
>>
>
diff mbox

Patch

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index bac23c1..f7985cf 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -89,6 +89,7 @@  show up in /proc/sys/kernel:
 - sysctl_writes_strict
 - tainted
 - threads-max
+- tiocsti_restrict
 - unknown_nmi_panic
 - watchdog
 - watchdog_thresh
@@ -987,6 +988,26 @@  available RAM pages threads-max is reduced accordingly.
 
 ==============================================================
 
+tiocsti_restrict:
+
+This toggle indicates whether unprivileged users are prevented
+from using the TIOCSTI ioctl to inject commands into other processes
+which share a tty session.
+
+When tiocsti_restrict is set to (0) there are no restrictions(accept
+the default restriction of only being able to injection commands into
+one's own tty). When tiocsti_restrict is set to (1), users must
+have CAP_SYS_ADMIN to use the TIOCSTI ioctl.
+
+When user namespaces are in use, the check for the capability
+CAP_SYS_ADMIN is done against the user namespace that originally
+opened the tty.
+
+The kernel config option CONFIG_SECURITY_TIOCSTI_RESTRICT sets the
+default value of tiocsti_restrict.
+
+==============================================================
+
 unknown_nmi_panic:
 
 The value in this file affects behavior of handling NMI. When the
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index c276814..0f2733d 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2297,11 +2297,19 @@  static int tty_fasync(int fd, struct file *filp, int on)
  *	FIXME: may race normal receive processing
  */
 
+int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT);
+
 static int tiocsti(struct tty_struct *tty, char __user *p)
 {
 	char ch, mbz = 0;
 	struct tty_ldisc *ld;
 
+	if (tiocsti_restrict &&
+		!ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) {
+		dev_warn_ratelimited(tty->dev,
+			"Denied TIOCSTI ioctl for non-privileged process\n");
+		return -EPERM;
+	}
 	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 	if (get_user(ch, p))
diff --git a/include/linux/tty.h b/include/linux/tty.h
index d902d42..2fd7f49 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -344,6 +344,8 @@  struct tty_file_private {
 	struct list_head list;
 };
 
+extern int tiocsti_restrict;
+
 /* tty magic number */
 #define TTY_MAGIC		0x5401
 
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index acf0a5a..68d1363 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -67,6 +67,7 @@ 
 #include <linux/kexec.h>
 #include <linux/bpf.h>
 #include <linux/mount.h>
+#include <linux/tty.h>
 
 #include <linux/uaccess.h>
 #include <asm/processor.h>
@@ -833,6 +834,17 @@  static struct ctl_table kern_table[] = {
 		.extra2		= &two,
 	},
 #endif
+#if defined CONFIG_TTY
+	{
+		.procname	= "tiocsti_restrict",
+		.data		= &tiocsti_restrict,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
+		.extra1		= &zero,
+		.extra2		= &one,
+	},
+#endif
 	{
 		.procname	= "ngroups_max",
 		.data		= &ngroups_max,
diff --git a/security/Kconfig b/security/Kconfig
index 823ca1a..665b610 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,19 @@  config SECURITY_DMESG_RESTRICT
 
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_TIOCSTI_RESTRICT
+	bool "Restrict unprivileged use of tiocsti command injection"
+	default n
+	help
+	  This enforces restrictions on unprivileged users injecting commands
+	  into other processes which share a tty session using the TIOCSTI
+	  ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN.
+
+	  If this option is not selected, no restrictions will be enforced
+	  unless the tiocsti_restrict sysctl is explicitly set to (1).
+
+	  If you are unsure how to answer this question, answer N.
+
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS