From: Pádraig Brady <P@draigBrady.com>
Date: Wed, 30 Aug 2017 07:27:41 +0000 (-0700)
Subject: runcon: revert "disable use of the TIOCSTI ioctl"
X-Git-Tag: v8.28~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5d7c0842ef7adc2be6e85f9ef66b35ebbbd6a61;p=thirdparty%2Fcoreutils.git

runcon: revert "disable use of the TIOCSTI ioctl"

This reverts commit v8.27-97-g8cb06d4 because
the setsid() fallback was not implemented correctly
and disabling the ioctl was not a complete solution
to the security issue of the child being passed
the tty of the parent.

Given runcon is not really a sandbox command,
the advice is to use `runcon ... setsid ...`
to avoid this particular issue.
---

diff --git a/NEWS b/NEWS
index cc4a56e82d..b7ba1d5007 100644
--- a/NEWS
+++ b/NEWS
@@ -72,10 +72,6 @@ GNU coreutils NEWS                                    -*- outline -*-
   non regular files are specified, as inotify is ineffective with these.
   [bug introduced with inotify support added in coreutils-7.5]
 
-  runcon now disables use of the TIOCSTI ioctl in its children, which could
-  be used to inject commands to the terminal and run at the original context.
-  [the issue dates back to the initial implementation]
-
   uptime no longer outputs the AM/PM component of the current time,
   as that's inconsistent with the 24 hour time format used.
   [bug introduced in coreutils-7.0]
diff --git a/m4/jm-macros.m4 b/m4/jm-macros.m4
index de0657b826..ef915bd378 100644
--- a/m4/jm-macros.m4
+++ b/m4/jm-macros.m4
@@ -63,19 +63,6 @@ AC_DEFUN([coreutils_MACROS],
         esac
       fi
     ])
-
-    # Used by runcon.c
-    LIB_SECCOMP=
-    AC_SUBST([LIB_SECCOMP])
-    if test "$with_selinux" != no; then
-      AC_SEARCH_LIBS([seccomp_init], [seccomp],
-        [test "$ac_cv_search_seccomp_init" = "none required" ||
-          LIB_SECCOMP=$ac_cv_search_seccomp_init
-         AC_DEFINE([HAVE_SECCOMP], [1], [libseccomp usability])],
-        [test "$ac_cv_header_selinux_selinux_h" = yes &&
-         AC_MSG_WARN([libseccomp library was not found or not usable])
-         AC_MSG_WARN([runcon will be vulnerable to tty injection])])
-    fi
   LIBS=$coreutils_saved_libs
 
   # Used by sort.c.
diff --git a/src/local.mk b/src/local.mk
index 9275b1f2ee..1cb685906c 100644
--- a/src/local.mk
+++ b/src/local.mk
@@ -243,7 +243,6 @@ src_mkfifo_LDADD += $(LIB_SMACK)
 src_mknod_LDADD += $(LIB_SELINUX)
 src_mknod_LDADD += $(LIB_SMACK)
 src_runcon_LDADD += $(LIB_SELINUX)
-src_runcon_LDADD += $(LIB_SECCOMP)
 src_stat_LDADD += $(LIB_SELINUX)
 
 # for nvlist_lookup_uint64_array
diff --git a/src/runcon.c b/src/runcon.c
index 611b788876..92f519df8a 100644
--- a/src/runcon.c
+++ b/src/runcon.c
@@ -45,10 +45,6 @@
 #include <getopt.h>
 #include <selinux/selinux.h>
 #include <selinux/context.h>
-#ifdef HAVE_SECCOMP
-# include <seccomp.h>
-# include <sys/ioctl.h>
-#endif
 #include <sys/types.h>
 #include "system.h"
 #include "die.h"
@@ -106,28 +102,6 @@ With neither CONTEXT nor COMMAND, print the current security context.\n\
   exit (status);
 }
 
-static void
-disable_tty_inject (void)
-{
-#ifdef HAVE_SECCOMP
-  scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_ALLOW);
-  if (! ctx)
-    die (EXIT_FAILURE, 0, _("failed to initialize seccomp context"));
-  if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EPERM), SCMP_SYS (ioctl), 1,
-                        SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)) < 0)
-    die (EXIT_FAILURE, 0, _("failed to add seccomp rule"));
-  if (seccomp_load (ctx) < 0)
-    die (EXIT_FAILURE, 0, _("failed to load seccomp rule"));
-  seccomp_release (ctx);
-#else
-  /* This may have unwanted side effects, but is a fallback
-     on older systems without libseccomp.  */
-  if (setsid () != 0)
-    die (EXIT_FAILURE, errno, _("cannot create session"));
-#endif /* HAVE_SECCOMP */
-}
-
-
 int
 main (int argc, char **argv)
 {
@@ -221,8 +195,6 @@ main (int argc, char **argv)
     die (EXIT_FAILURE, 0, _("%s may be used only on a SELinux kernel"),
          program_name);
 
-  disable_tty_inject ();
-
   if (context)
     {
       con = context_new (context);
diff --git a/tests/local.mk b/tests/local.mk
index f222fc8eca..732ec99dad 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -333,7 +333,6 @@ all_tests =					\
   tests/misc/readlink-root.sh			\
   tests/misc/realpath.sh			\
   tests/misc/runcon-no-reorder.sh		\
-  tests/misc/runcon-no-inject.sh		\
   tests/misc/sha1sum.pl				\
   tests/misc/sha1sum-vec.pl			\
   tests/misc/sha224sum.pl			\
diff --git a/tests/misc/runcon-no-inject.sh b/tests/misc/runcon-no-inject.sh
deleted file mode 100755
index f1ea6ec0f2..0000000000
--- a/tests/misc/runcon-no-inject.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-# Ensure that runcon does not reorder its arguments.
-
-# Copyright (C) 2017 Free Software Foundation, Inc.
-
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
-print_ver_ runcon
-
-cat <<\EOF >inject.py || framework_failure_
-import fcntl, termios
-fcntl.ioctl(0, termios.TIOCSTI, '\n')
-EOF
-
-python inject.py || skip_ 'python TIOCSTI check failed'
-
-returns_ 1 runcon $(id -Z) python inject.py || fail=1
-
-Exit $fail