[email protected] wrote re <http://bugs.gnu.org/24541>:
When executing a program via the runcon utility, the nonpriv session
can escape to the parent session by using the TIOCSTI ioctl to push
characters into the terminal's input buffer, allowing an attacker to
execute arbitrary commands without the SELinux security context.
Thanks for the bug report. Surely this is a bug in the setexeccon system call,
not in the runcon command that uses the system call. That being said, perhaps
runcon should work around the bug via something like the attached patch.
diff --git a/src/runcon.c b/src/runcon.c
index b25db04..52b0b36 100644
--- a/src/runcon.c
+++ b/src/runcon.c
@@ -249,6 +249,11 @@ main (int argc, char **argv)
error (EXIT_FAILURE, errno, _("invalid context: %s"),
quote (context_str (con)));
+ /* Prevent the sandboxed process from using the TIOCSTI ioctl to
+ push characters into the controlling terminal's input buffer. */
+ if (setsid () != 0)
+ error (EXIT_FAILURE, errno, _("cannot create session"));
+
if (setexeccon (context_str (con)) != 0)
error (EXIT_FAILURE, errno, _("unable to set security context %s"),
quote (context_str (con)));
