From patchwork Sun Sep 25 18:49:40 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Eggert X-Patchwork-Id: 9350633 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 033C96077A for ; Mon, 26 Sep 2016 12:41:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E81C128915 for ; Mon, 26 Sep 2016 12:41:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DCE2028AAA; Mon, 26 Sep 2016 12:41:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A130428A68 for ; Mon, 26 Sep 2016 12:41:28 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.30,399,1470700800"; d="diff'?scan'208";a="17955669" IronPort-PHdr: =?us-ascii?q?9a23=3AokaS5hLkoASmfZO+/dmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgVKf/xwZ3uMQTl6Ol3ixeRBMOAuqgC0rGd7vuocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIs?= =?us-ascii?q?YL+kQMiL1I/qjKibwN76W01wnj2zYLd/fl2djD76kY0ou7ZkMbs70RDTo3FFKK?= =?us-ascii?q?x8zGJsIk+PzV6nvp/jtLYqySlbuuog+shcSu26Ov1gFf0LMS4ie1wRyIWr8EeC?= =?us-ascii?q?HkOz4S4BSj9Oy0YQXFiUtDnzWor3tTC8uuF2nieRe9DuC6goHXz4s/o3ETfkhS?= =?us-ascii?q?0NKjEitm7Rl4p3lq0f6CmM4jh+xZPEKNWuGd5/eL7NVc8LTmpGGMBKXmpOBZ3q?= =?us-ascii?q?PKUVCO9UBe9Fq8HQqFQDtwf2UQSjC+711hdDnTnr1qkzlektDFeVj0QbA9sSvS?= =?us-ascii?q?GM/53OP6AIXLXwlfGWwA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2FMCwCKFulX/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgxA?= =?us-ascii?q?BAQEBAR5XKkwGunsFBhgHh1NMAQEBAQEBAQECAQJbJ4IyBAEVAQQFOTwBAQEBA?= =?us-ascii?q?QEjAg1fAQEEAQIgKyAOAwkBAQoNMQQCAgMBLRURBgEHBQYCAQEBGASIKgMGsTm?= =?us-ascii?q?JUAaCeAwXDogzCIJQhBYRAYMggloBBI8rikuDQYF2cIt9hyoXhW6IdYdwAlSDG?= =?us-ascii?q?RyBcFIBhUZfgUABAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 26 Sep 2016 12:41:25 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8QCfMRa013599; Mon, 26 Sep 2016 08:41:23 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u8PInkHn238509 for ; Sun, 25 Sep 2016 14:49:46 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8PInkWu016095 for ; Sun, 25 Sep 2016 14:49:46 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1ANAAACG+hXmESAs4NdGwEBAQMBAQEJAQEBgzsBAQEBAXUqTAa2coQTAR+FfgKBOkwBAgEBAQEBAhMBAQEBAQgLCwcZhREBAQEDI2YLQgICVwYBDAYCAQGIRwMGsTyJSgaCeAEBAQcBAQEBARQOiDMIglCHSIJaBY8rikuDQYF2cIt9hyqGBYh1h3ACg20RC4FwUgGGfgEBAQ X-IPAS-Result: A1ANAAACG+hXmESAs4NdGwEBAQMBAQEJAQEBgzsBAQEBAXUqTAa2coQTAR+FfgKBOkwBAgEBAQEBAhMBAQEBAQgLCwcZhREBAQEDI2YLQgICVwYBDAYCAQGIRwMGsTyJSgaCeAEBAQcBAQEBARQOiDMIglCHSIJaBY8rikuDQYF2cIt9hyqGBYh1h3ACg20RC4FwUgGGfgEBAQ X-IronPort-AV: E=Sophos;i="5.30,395,1470715200"; d="diff'?scan'208";a="5727541" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 25 Sep 2016 14:49:45 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AHZDsLx2giClqwQoOsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sekUKPad9pjvdHbS+e9qxAeQG96KsbQd0qGP6PGocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIs?= =?us-ascii?q?YL+kQMiL1o/ujLH60qaQSj0AvCC6b7J2IUf+hiTqne5Sv7FfLL0swADCuHpCdr?= =?us-ascii?q?ce72ppIVWOg0S0vZ/or9ZLuh5dsPM59sNGTb6yP+FhFeQZX3waNDUo/Jez7EWb?= =?us-ascii?q?ElvevlMVVngQlQEODwPOqh/xGIrp9DPm8qInhHTGZOX6QLo+RDu5qahtVVnvki?= =?us-ascii?q?hDfwUUtUXWjNFgxPZgjTagoQFv65LFa4GScvxld+XSes1MFkRbWcMEbyVcBsuR?= =?us-ascii?q?YIQCFfZJaetXoITnu3MFtl2jDg2lQu7j12kb1TfNwaQm3rF5Qkn91ws6EodL6S?= =?us-ascii?q?yMoQ=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FaAABSG+hXmESAs4NdGwEBAQMBAQEJA?= =?us-ascii?q?QEBFhgNgwABAQEBAXUqTAa2coQTAR+FfgKBOkwBAQEBAQEBAQIBAhABAQEBAQg?= =?us-ascii?q?LCwcZL4IyBAEVAQQFOTwBAQEBAQEjAg1fAQEBAyNmC0ICAlcGAQwGAgEBiEcDB?= =?us-ascii?q?rE8iUoGgngBAQEHAQEBAQEUDogzCIJQh0iCWgWPK4pLg0GBdnCLfYcqhgWIdYd?= =?us-ascii?q?wAoNtEQuBcFIBhT6BQAEBAQ?= X-IPAS-Result: =?us-ascii?q?A0FaAABSG+hXmESAs4NdGwEBAQMBAQEJAQEBFhgNgwABAQE?= =?us-ascii?q?BAXUqTAa2coQTAR+FfgKBOkwBAQEBAQEBAQIBAhABAQEBAQgLCwcZL4IyBAEVA?= =?us-ascii?q?QQFOTwBAQEBAQEjAg1fAQEBAyNmC0ICAlcGAQwGAgEBiEcDBrE8iUoGgngBAQE?= =?us-ascii?q?HAQEBAQEUDogzCIJQh0iCWgWPK4pLg0GBdnCLfYcqhgWIdYdwAoNtEQuBcFIBh?= =?us-ascii?q?T6BQAEBAQ?= X-IronPort-AV: E=Sophos;i="5.30,395,1470700800"; d="diff'?scan'208";a="17944445" Received: from zimbra.cs.ucla.edu ([131.179.128.68]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Sep 2016 18:49:43 +0000 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 7A3CD160EA7; Sun, 25 Sep 2016 11:49:42 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id kcE25kQyJoM7; Sun, 25 Sep 2016 11:49:41 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 529BB160D6F; Sun, 25 Sep 2016 11:49:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rvMTTghIB3KJ; Sun, 25 Sep 2016 11:49:41 -0700 (PDT) Received: from [192.168.1.9] (unknown [47.153.191.53]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 2DD10160EA7; Sun, 25 Sep 2016 11:49:41 -0700 (PDT) Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl To: up201407890@alunos.dcc.fc.up.pt, 24541@debbugs.gnu.org, SE-Linux References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: Date: Sun, 25 Sep 2016 11:49:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> X-Mailman-Approved-At: Mon, 26 Sep 2016 08:36:47 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP up201407890@alunos.dcc.fc.up.pt wrote re : > When executing a program via the runcon utility, the nonpriv session > can escape to the parent session by using the TIOCSTI ioctl to push > characters into the terminal's input buffer, allowing an attacker to > execute arbitrary commands without the SELinux security context. Thanks for the bug report. Surely this is a bug in the setexeccon system call, not in the runcon command that uses the system call. That being said, perhaps runcon should work around the bug via something like the attached patch. diff --git a/src/runcon.c b/src/runcon.c index b25db04..52b0b36 100644 --- a/src/runcon.c +++ b/src/runcon.c @@ -249,6 +249,11 @@ main (int argc, char **argv) error (EXIT_FAILURE, errno, _("invalid context: %s"), quote (context_str (con))); + /* Prevent the sandboxed process from using the TIOCSTI ioctl to + push characters into the controlling terminal's input buffer. */ + if (setsid () != 0) + error (EXIT_FAILURE, errno, _("cannot create session")); + if (setexeccon (context_str (con)) != 0) error (EXIT_FAILURE, errno, _("unable to set security context %s"), quote (context_str (con)));