From f5d7c0842ef7adc2be6e85f9ef66b35ebbbd6a61 Mon Sep 17 00:00:00 2001 From: =?utf8?q?P=C3=A1draig=20Brady?= Date: Wed, 30 Aug 2017 00:27:41 -0700 Subject: [PATCH] runcon: revert "disable use of the TIOCSTI ioctl" This reverts commit v8.27-97-g8cb06d4 because the setsid() fallback was not implemented correctly and disabling the ioctl was not a complete solution to the security issue of the child being passed the tty of the parent. Given runcon is not really a sandbox command, the advice is to use `runcon ... setsid ...` to avoid this particular issue. --- NEWS | 4 ---- m4/jm-macros.m4 | 13 ------------- src/local.mk | 1 - src/runcon.c | 28 ---------------------------- tests/local.mk | 1 - tests/misc/runcon-no-inject.sh | 31 ------------------------------- 6 files changed, 78 deletions(-) delete mode 100755 tests/misc/runcon-no-inject.sh diff --git a/NEWS b/NEWS index cc4a56e82d..b7ba1d5007 100644 --- a/NEWS +++ b/NEWS @@ -72,10 +72,6 @@ GNU coreutils NEWS -*- outline -*- non regular files are specified, as inotify is ineffective with these. [bug introduced with inotify support added in coreutils-7.5] - runcon now disables use of the TIOCSTI ioctl in its children, which could - be used to inject commands to the terminal and run at the original context. - [the issue dates back to the initial implementation] - uptime no longer outputs the AM/PM component of the current time, as that's inconsistent with the 24 hour time format used. [bug introduced in coreutils-7.0] diff --git a/m4/jm-macros.m4 b/m4/jm-macros.m4 index de0657b826..ef915bd378 100644 --- a/m4/jm-macros.m4 +++ b/m4/jm-macros.m4 @@ -63,19 +63,6 @@ AC_DEFUN([coreutils_MACROS], esac fi ]) - - # Used by runcon.c - LIB_SECCOMP= - AC_SUBST([LIB_SECCOMP]) - if test "$with_selinux" != no; then - AC_SEARCH_LIBS([seccomp_init], [seccomp], - [test "$ac_cv_search_seccomp_init" = "none required" || - LIB_SECCOMP=$ac_cv_search_seccomp_init - AC_DEFINE([HAVE_SECCOMP], [1], [libseccomp usability])], - [test "$ac_cv_header_selinux_selinux_h" = yes && - AC_MSG_WARN([libseccomp library was not found or not usable]) - AC_MSG_WARN([runcon will be vulnerable to tty injection])]) - fi LIBS=$coreutils_saved_libs # Used by sort.c. diff --git a/src/local.mk b/src/local.mk index 9275b1f2ee..1cb685906c 100644 --- a/src/local.mk +++ b/src/local.mk @@ -243,7 +243,6 @@ src_mkfifo_LDADD += $(LIB_SMACK) src_mknod_LDADD += $(LIB_SELINUX) src_mknod_LDADD += $(LIB_SMACK) src_runcon_LDADD += $(LIB_SELINUX) -src_runcon_LDADD += $(LIB_SECCOMP) src_stat_LDADD += $(LIB_SELINUX) # for nvlist_lookup_uint64_array diff --git a/src/runcon.c b/src/runcon.c index 611b788876..92f519df8a 100644 --- a/src/runcon.c +++ b/src/runcon.c @@ -45,10 +45,6 @@ #include #include #include -#ifdef HAVE_SECCOMP -# include -# include -#endif #include #include "system.h" #include "die.h" @@ -106,28 +102,6 @@ With neither CONTEXT nor COMMAND, print the current security context.\n\ exit (status); } -static void -disable_tty_inject (void) -{ -#ifdef HAVE_SECCOMP - scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_ALLOW); - if (! ctx) - die (EXIT_FAILURE, 0, _("failed to initialize seccomp context")); - if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EPERM), SCMP_SYS (ioctl), 1, - SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)) < 0) - die (EXIT_FAILURE, 0, _("failed to add seccomp rule")); - if (seccomp_load (ctx) < 0) - die (EXIT_FAILURE, 0, _("failed to load seccomp rule")); - seccomp_release (ctx); -#else - /* This may have unwanted side effects, but is a fallback - on older systems without libseccomp. */ - if (setsid () != 0) - die (EXIT_FAILURE, errno, _("cannot create session")); -#endif /* HAVE_SECCOMP */ -} - - int main (int argc, char **argv) { @@ -221,8 +195,6 @@ main (int argc, char **argv) die (EXIT_FAILURE, 0, _("%s may be used only on a SELinux kernel"), program_name); - disable_tty_inject (); - if (context) { con = context_new (context); diff --git a/tests/local.mk b/tests/local.mk index f222fc8eca..732ec99dad 100644 --- a/tests/local.mk +++ b/tests/local.mk @@ -333,7 +333,6 @@ all_tests = \ tests/misc/readlink-root.sh \ tests/misc/realpath.sh \ tests/misc/runcon-no-reorder.sh \ - tests/misc/runcon-no-inject.sh \ tests/misc/sha1sum.pl \ tests/misc/sha1sum-vec.pl \ tests/misc/sha224sum.pl \ diff --git a/tests/misc/runcon-no-inject.sh b/tests/misc/runcon-no-inject.sh deleted file mode 100755 index f1ea6ec0f2..0000000000 --- a/tests/misc/runcon-no-inject.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh -# Ensure that runcon does not reorder its arguments. - -# Copyright (C) 2017 Free Software Foundation, Inc. - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src -print_ver_ runcon - -cat <<\EOF >inject.py || framework_failure_ -import fcntl, termios -fcntl.ioctl(0, termios.TIOCSTI, '\n') -EOF - -python inject.py || skip_ 'python TIOCSTI check failed' - -returns_ 1 runcon $(id -Z) python inject.py || fail=1 - -Exit $fail -- 2.47.2