From dbca41f0cd8efd135baee3fe0a4c23399bfd4129 Mon Sep 17 00:00:00 2001 From: TL-Yao Date: Fri, 2 Aug 2024 07:59:23 +0000 Subject: [PATCH 1/2] commit patch 15595429 --- interfaces/seccomp/template.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go index 1d721fdb61b..c37826f3f4a 100644 --- a/interfaces/seccomp/template.go +++ b/interfaces/seccomp/template.go @@ -200,7 +200,13 @@ inotify_rm_watch # input (man tty_ioctl), so we disallow it to prevent snaps plugging interfaces # with 'capability sys_admin' from interfering with other snaps or the # unconfined user's terminal. +# similarly, TIOCLINUX allows to fake input as well (man ioctl_console) so +# disallow that too # TODO: this should be scaled back even more +~ioctl - TIOCSTI +~ioctl - TIOCLINUX +# restrict argument otherwise will match all uses of ioctl() and allow the rules +# that were disallowed above - TODO: why does this still restrict TIOCLINUX? ioctl - !TIOCSTI io_cancel From f9019b31b1c611de78929866d4411af1c2102108 Mon Sep 17 00:00:00 2001 From: TL-Yao Date: Fri, 2 Aug 2024 07:59:25 +0000 Subject: [PATCH 2/2] commit patch 15595428 --- cmd/snap-seccomp-blacklist/snap-seccomp-blacklist.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cmd/snap-seccomp-blacklist/snap-seccomp-blacklist.c b/cmd/snap-seccomp-blacklist/snap-seccomp-blacklist.c index e1e415daec3..b0205b6a6ff 100644 --- a/cmd/snap-seccomp-blacklist/snap-seccomp-blacklist.c +++ b/cmd/snap-seccomp-blacklist/snap-seccomp-blacklist.c @@ -101,7 +101,7 @@ static int populate_filter(scmp_filter_ctx ctx, const uint32_t *arch_tags, size_ * NOTE: not using scmp_rule_add_exact as that was not doing anything * at all (presumably due to having all the architectures defined). */ - const struct scmp_arg_cmp no_tty_inject = { + struct scmp_arg_cmp no_tty_inject = { /* We learned that existing programs make legitimate requests with all * bits set in the more significant 32bit word of the 64 bit double * word. While this kernel behavior remains suspect and presumably @@ -122,6 +122,10 @@ static int populate_filter(scmp_filter_ctx ctx, const uint32_t *arch_tags, size_ }; sc_err = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), sys_ioctl_nr, 1, no_tty_inject); + /* also block use of TIOCLINUX */ + no_tty_inject.datum_b = TIOCLINUX; + sc_err = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), sys_ioctl_nr, 1, no_tty_inject); + if (sc_err < 0) { showerr("cannot add rule preventing the use high bits in ioctl"); return sc_err;