From 7f1265b917aba4436653aa8e7bf90976b82b77ee Mon Sep 17 00:00:00 2001From: Jan

1. From 7f1265b917aba4436653aa8e7bf90976b82b77ee Mon Sep 17 00:00:00 2001
2. From: Jann Horn <jann@thejh.net>
3. Date: Fri, 14 Aug 2015 17:47:01 +0200
4. Subject: [PATCH] drivers/tty: require read access for controlling terminal
5.  
6. This is mostly a hardening fix, given that write-only access to other
7. users' ttys is usually only given through setgid tty executables.
8.  
9. Signed-off-by: Jann Horn <jann@thejh.net>
10. ---
11. drivers/tty/tty_io.c | 48 ++++++++++++++++++++++++++++++++++++++++++++----
12. 1 file changed, 44 insertions(+), 4 deletions(-)
13.  
14. diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
15. index 57fc6ee..dcd6a83 100644
16. --- a/drivers/tty/tty_io.c
17. +++ b/drivers/tty/tty_io.c
18. @@ -2136,8 +2136,31 @@ retry_open:
19. if (!noctty &&
20. current->signal->leader &&
21. !current->signal->tty &&
22. - tty->session == NULL)
23. - __proc_set_tty(tty);
24. + tty->session == NULL) {
25. + /*
26. + * Don't let a process that only has write access to the tty
27. + * obtain the privileges associated with having a tty as
28. + * controlling terminal (being able to reopen it with full
29. + * access through /dev/tty, being able to perform pushback).
30. + * Many distributions set the group of all ttys to "tty" and
31. + * grant write-only access to all terminals for setgid tty
32. + * binaries, which should not imply full privileges on all ttys.
33. + *
34. + * This could theoretically break old code that performs open()
35. + * on a write-only file descriptor. In that case, it might be
36. + * necessary to also permit this if
37. + * inode_permission(inode, MAY_READ) == 0.
38. + */
39. + if (filp->f_mode & FMODE_READ)
40. + __proc_set_tty(tty);
41. + else {
42. + char comm[sizeof(current->comm)];
43. +
44. + pr_warn_once("%s: silently refused to set controlling terminal on open() - tty is not open for reading. Offending process: %d (%s)\n",
45. + tty->name, current->pid,
46. + get_task_comm(comm, current));
47. + }
48. + }
49. spin_unlock_irq(&current->sighand->siglock);
50. read_unlock(&tasklist_lock);
51. tty_unlock(tty);
52. @@ -2426,7 +2449,7 @@ static int fionbio(struct file *file, int __user *p)
53. * Takes ->siglock() when updating signal->tty
54. */
55.  
56. -static int tiocsctty(struct tty_struct *tty, int arg)
57. +static int tiocsctty(struct tty_struct *tty, struct file *file, int arg)
58. {
59. int ret = 0;
60.  
61. @@ -2460,6 +2483,23 @@ static int tiocsctty(struct tty_struct *tty, int arg)
62. goto unlock;
63. }
64. }
65. +
66. + /* See the comment in tty_open(). */
67. + if ((file->f_mode & FMODE_READ) == 0) {
68. + char comm[sizeof(current->comm)];
69. +
70. + get_task_comm(comm, current);
71. + if (capable(CAP_SYS_ADMIN)) {
72. + pr_warn_once("%s: TIOCSCTTY on a write-only fd was only allowed because it was performed by root. Offending process: %d (%s)\n",
73. + tty->name, current->pid, comm);
74. + } else {
75. + pr_warn_once("%s: TIOCSCTTY on a write-only fd was refused for security reasons! This might break old code. Offending process: %d (%s)\n",
76. + tty->name, current->pid, comm);
77. + ret = -EPERM;
78. + goto unlock;
79. + }
80. + }
81. +
82. proc_set_tty(tty);
83. unlock:
84. read_unlock(&tasklist_lock);
85. @@ -2852,7 +2892,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
86. no_tty();
87. return 0;
88. case TIOCSCTTY:
89. - return tiocsctty(tty, arg);
90. + return tiocsctty(tty, file, arg);
91. case TIOCGPGRP:
92. return tiocgpgrp(tty, real_tty, p);
93. case TIOCSPGRP:
94. --
95. 2.1.4