runcon: revert "disable use of the TIOCSTI ioctl"

This reverts commit v8.27-97-g8cb06d4 because the setsid() fallback was not implemented correctly and disabling the ioctl was not a complete solution to the security issue of the child being passed the tty of the parent. Given runcon is not really a sandbox command, the advice is to use `runcon ... setsid ...` to avoid this particular issue.
coreutils · Aug 30, 2017 · f5d7c08 · f5d7c08
1 parent f169345
commit f5d7c08
Show file tree

Hide file tree

Showing 6 changed files with 0 additions and 78 deletions.
diff --git a/NEWS b/NEWS
@@ -72,10 +72,6 @@ GNU coreutils NEWS                                    -*- outline -*-
   non regular files are specified, as inotify is ineffective with these.
   [bug introduced with inotify support added in coreutils-7.5]
 
-  runcon now disables use of the TIOCSTI ioctl in its children, which could
-  be used to inject commands to the terminal and run at the original context.
-  [the issue dates back to the initial implementation]
-
   uptime no longer outputs the AM/PM component of the current time,
   as that's inconsistent with the 24 hour time format used.
   [bug introduced in coreutils-7.0]

diff --git a/m4/jm-macros.m4 b/m4/jm-macros.m4
@@ -63,19 +63,6 @@ AC_DEFUN([coreutils_MACROS],
         esac
       fi
     ])
-
-    # Used by runcon.c
-    LIB_SECCOMP=
-    AC_SUBST([LIB_SECCOMP])
-    if test "$with_selinux" != no; then
-      AC_SEARCH_LIBS([seccomp_init], [seccomp],
-        [test "$ac_cv_search_seccomp_init" = "none required" ||
-          LIB_SECCOMP=$ac_cv_search_seccomp_init
-         AC_DEFINE([HAVE_SECCOMP], [1], [libseccomp usability])],
-        [test "$ac_cv_header_selinux_selinux_h" = yes &&
-         AC_MSG_WARN([libseccomp library was not found or not usable])
-         AC_MSG_WARN([runcon will be vulnerable to tty injection])])
-    fi
   LIBS=$coreutils_saved_libs
 
   # Used by sort.c.

diff --git a/src/local.mk b/src/local.mk
@@ -243,7 +243,6 @@ src_mkfifo_LDADD += $(LIB_SMACK)
 src_mknod_LDADD += $(LIB_SELINUX)
 src_mknod_LDADD += $(LIB_SMACK)
 src_runcon_LDADD += $(LIB_SELINUX)
-src_runcon_LDADD += $(LIB_SECCOMP)
 src_stat_LDADD += $(LIB_SELINUX)
 
 # for nvlist_lookup_uint64_array

diff --git a/src/runcon.c b/src/runcon.c
@@ -45,10 +45,6 @@
 #include <getopt.h>
 #include <selinux/selinux.h>
 #include <selinux/context.h>
-#ifdef HAVE_SECCOMP
-# include <seccomp.h>
-# include <sys/ioctl.h>
-#endif
 #include <sys/types.h>
 #include "system.h"
 #include "die.h"
@@ -106,28 +102,6 @@ With neither CONTEXT nor COMMAND, print the current security context.\n\
   exit (status);
 }
 
-static void
-disable_tty_inject (void)
-{
-#ifdef HAVE_SECCOMP
-  scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_ALLOW);
-  if (! ctx)
-    die (EXIT_FAILURE, 0, _("failed to initialize seccomp context"));
-  if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EPERM), SCMP_SYS (ioctl), 1,
-                        SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)) < 0)
-    die (EXIT_FAILURE, 0, _("failed to add seccomp rule"));
-  if (seccomp_load (ctx) < 0)
-    die (EXIT_FAILURE, 0, _("failed to load seccomp rule"));
-  seccomp_release (ctx);
-#else
-  /* This may have unwanted side effects, but is a fallback
-     on older systems without libseccomp.  */
-  if (setsid () != 0)
-    die (EXIT_FAILURE, errno, _("cannot create session"));
-#endif /* HAVE_SECCOMP */
-}
-
-
 int
 main (int argc, char **argv)
 {
@@ -221,8 +195,6 @@ main (int argc, char **argv)
     die (EXIT_FAILURE, 0, _("%s may be used only on a SELinux kernel"),
          program_name);
 
-  disable_tty_inject ();
-
   if (context)
     {
       con = context_new (context);

diff --git a/tests/local.mk b/tests/local.mk
@@ -333,7 +333,6 @@ all_tests =					\
   tests/misc/readlink-root.sh			\
   tests/misc/realpath.sh			\
   tests/misc/runcon-no-reorder.sh		\
-  tests/misc/runcon-no-inject.sh		\
   tests/misc/sha1sum.pl				\
   tests/misc/sha1sum-vec.pl			\
   tests/misc/sha224sum.pl			\

diff --git a/tests/misc/runcon-no-inject.sh b/tests/misc/runcon-no-inject.sh