On Tue, May 30, 2017 at 11:32 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> Seccomp requires the program in question to "opt-in" so to speak and >> set >> certain restrictions on itself. However as you state above, any >> TIOCSTI >> protection doesn't matter if the program correctly allocates a >> tty/pty pair. >> This protections seeks to protect users from programs that don't do >> things >> correctly. Rather than killing bugs, this feature attempts to kill an >> entire >> bug class that shows little sign of slowing down in the world of >> containers and >> sandboxes. > > Just FYI, you can also restrict TIOCSTI (or any other ioctl command) > via SELinux ioctl whitelisting, and Android is using that feature to > restrict TIOCSTI usage in Android O (at least based on the developer > previews to date, also in AOSP master).
For reference, this is https://android-review.googlesource.com/306278 , where we moved to a whitelist for handling ioctls for ptys. -- Nick