On 5/30/17 2:44 PM, Nick Kralevich wrote: > On Tue, May 30, 2017 at 11:32 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> Seccomp requires the program in question to "opt-in" so to speak and >>> set >>> certain restrictions on itself. However as you state above, any >>> TIOCSTI >>> protection doesn't matter if the program correctly allocates a >>> tty/pty pair. >>> This protections seeks to protect users from programs that don't do >>> things >>> correctly. Rather than killing bugs, this feature attempts to kill an >>> entire >>> bug class that shows little sign of slowing down in the world of >>> containers and >>> sandboxes. >> >> Just FYI, you can also restrict TIOCSTI (or any other ioctl command) >> via SELinux ioctl whitelisting, and Android is using that feature to >> restrict TIOCSTI usage in Android O (at least based on the developer >> previews to date, also in AOSP master). > > For reference, this is https://android-review.googlesource.com/306278 > , where we moved to a whitelist for handling ioctls for ptys. > > -- Nick >
Thanks, I didn't know that android was doing this. I still think this feature is worthwhile for people to be able to harden their systems against this attack vector without having to implement a MAC. Matt