[PATCH] drivers/tty: add kernel.restrict_pushback sysctl

[Jann Horn]

This new sysctl can be set to 1 to require CAP_SYS_ADMIN for
the TIOCSTI ioctl (which lets the caller push input back into
the TTY and thereby fake input to other processes that read
from the same TTY).

This is a well-known problem that hasn't been handled
particularly well in userland, e.g. allowing a user to whose
account root switches using "su" (or using "sudo" in the
default config) to write input to root's shell, resulting
in a privilege escalation. Additionally, it has increased
the impact of other security issues and requires care by
LSMs to ensure that restricted processes can't fiddle with
the TTYs of more privileged processes running under the
same user.

TIOCSTI is relatively exotic. For most users, turning this
sysctl on should be no problem.

Note that this does not make it completely safe to leak pty
FDs to unprivileged code: They could still be used to steal
passwords that the user enters in his terminal, to
selectively suppress keystrokes or to just fake program
output. An automatic kernel-side solution to this, if it is
even possible, would probably be complicated.

Signed-off-by: Jann Horn <jann@xxxxxxxxx>
---
 drivers/tty/tty_io.c | 12 +++++++++++-
 include/linux/tty.h  |  2 ++
 kernel/sysctl.c      | 10 ++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index bcc8e1e..c7536d6 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -126,6 +126,15 @@ struct ktermios tty_std_termios = {	/* for the benefit of tty drivers  */
 	.c_ospeed = 38400
 };
 
+/*
+ * There are many ways in which an attacker can get hold of a TTY's
+ * file descriptor, both through leaks from a privileged parent to
+ * a less privileged child and through other attacks. The system
+ * administrator can set this flag to reduce the impact of such
+ * attacks a lot.
+ */
+int sysctl_restrict_pushback __read_mostly;
+
 EXPORT_SYMBOL(tty_std_termios);
 
 /* This list gets poked at by procfs and various bits of boot up code. This
@@ -2270,8 +2279,9 @@ static int tiocsti(struct tty_struct *tty, char __user *p)
 {
 	char ch, mbz = 0;
 	struct tty_ldisc *ld;
+	bool needpriv = current->signal->tty != tty || sysctl_restrict_pushback;
 
-	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
+	if (needpriv && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 	if (get_user(ch, p))
 		return -EFAULT;
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 5e31f1b..8cc8173 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -674,3 +674,5 @@ static inline void proc_tty_unregister_driver(struct tty_driver *d) {}
 	} while (0)
 
 #endif
+
+extern int sysctl_restrict_pushback;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index dc6858d..7bd1a28 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -65,6 +65,7 @@
 #include <linux/sched/sysctl.h>
 #include <linux/kexec.h>
 #include <linux/bpf.h>
+#include <linux/tty.h>
 
 #include <asm/uaccess.h>
 #include <asm/processor.h>
@@ -1172,6 +1173,15 @@ static struct ctl_table kern_table[] = {
 		.extra2		= &one,
 	},
 #endif
+	{
+		.procname	= "restrict_pushback",
+		.data		= &sysctl_restrict_pushback,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= &zero,
+		.extra2		= &one,
+	},
 	{ }
 };
 
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/