On 5/30/17 2:44 PM, Nick Kralevich wrote:

On Tue, May 30, 2017 at 11:32 AM, Stephen Smalley [off-list ref] wrote:

quoted

quoted

Seccomp requires the program in question to "opt-in" so to speak and
set
certain restrictions on itself. However as you state above, any
TIOCSTI
protection doesn't matter if the program correctly allocates a
tty/pty pair.
This protections seeks to protect users from programs that don't do
things
correctly. Rather than killing bugs, this feature attempts to kill an
entire
bug class that shows little sign of slowing down in the world of
containers and
sandboxes.

Just FYI, you can also restrict TIOCSTI (or any other ioctl command)
via SELinux ioctl whitelisting, and Android is using that feature to
restrict TIOCSTI usage in Android O (at least based on the developer
previews to date, also in AOSP master).

For reference, this is https://android-review.googlesource.com/306278
, where we moved to a whitelist for handling ioctls for ptys.

-- Nick

Thanks, I didn't know that android was doing this. I still think this feature
is worthwhile for people to be able to harden their systems against this attack
vector without having to implement a MAC.

Matt
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html