On Tue, May 30, 2017 at 11:32 AM, Stephen Smalley [off-list ref] wrote:

quoted

Seccomp requires the program in question to "opt-in" so to speak and
set
certain restrictions on itself. However as you state above, any
TIOCSTI
protection doesn't matter if the program correctly allocates a
tty/pty pair.
This protections seeks to protect users from programs that don't do
things
correctly. Rather than killing bugs, this feature attempts to kill an
entire
bug class that shows little sign of slowing down in the world of
containers and
sandboxes.

Just FYI, you can also restrict TIOCSTI (or any other ioctl command)
via SELinux ioctl whitelisting, and Android is using that feature to
restrict TIOCSTI usage in Android O (at least based on the developer
previews to date, also in AOSP master).

For reference, this is https://android-review.googlesource.com/306278
, where we moved to a whitelist for handling ioctls for ptys.

-- Nick
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html