From: Abhinav Saxena xandfury@gmail.com
The TIOCSTI ioctl currently only checks the current process's credentials, creating a TOCTOU vulnerability where an unprivileged process can open a TTY fd and pass it to a privileged process via SCM_RIGHTS.
Fix by requiring BOTH the file opener (file->f_cred) AND the current process to have CAP_SYS_ADMIN. This prevents privilege escalation while ensuring legitimate use cases continue to work.
Link: https://github.com/KSPP/linux/issues/156
Signed-off-by: Abhinav Saxena xandfury@gmail.com --- security/selinux/hooks.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 595ceb314aeb..a628551873ab 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3847,6 +3847,12 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, CAP_OPT_NONE, true); break;
+ case TIOCSTI: + if (!file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN) || + !capable(CAP_SYS_ADMIN)) + error = -EPERM; + break; + case FIOCLEX: case FIONCLEX: if (!selinux_policycap_ioctl_skip_cloexec())