| Message ID | ad807471-3549-b9fa-e718-8110e6a768b2@cs.ucla.edu (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
Quoting "Paul Eggert" <eggert@cs.ucla.edu>: Hello, I set the bug report here before I got a response from Paul Moore https://marc.info/?l=selinux&m=147481004710264&w=2 "I don't think we need to fix this for runcon, as it isn't as sandboxing tool like sandbox, and the loss of job control would likely be much more noticeable for runcon." > up201407890@alunos.dcc.fc.up.pt wrote re <http://bugs.gnu.org/24541>: >> When executing a program via the runcon utility, the nonpriv session >> can escape to the parent session by using the TIOCSTI ioctl to push >> characters into the terminal's input buffer, allowing an attacker to >> execute arbitrary commands without the SELinux security context. > > Thanks for the bug report. Surely this is a bug in the setexeccon > system call, not in the runcon command that uses the system call. > That being said, perhaps runcon should work around the bug via > something like the attached patch. > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
> "I don't think we need to fix this for runcon, as it isn't as > sandboxing tool like sandbox, and the loss of job control would likely > be much more noticeable for runcon." Thanks, closing the debbugs bug report.
diff --git a/src/runcon.c b/src/runcon.c index b25db04..52b0b36 100644 --- a/src/runcon.c +++ b/src/runcon.c @@ -249,6 +249,11 @@ main (int argc, char **argv) error (EXIT_FAILURE, errno, _("invalid context: %s"), quote (context_str (con))); + /* Prevent the sandboxed process from using the TIOCSTI ioctl to + push characters into the controlling terminal's input buffer. */ + if (setsid () != 0) + error (EXIT_FAILURE, errno, _("cannot create session")); + if (setexeccon (context_str (con)) != 0) error (EXIT_FAILURE, errno, _("unable to set security context %s"), quote (context_str (con)));