Closed Bug 1405891 Opened 2 years ago Closed 2 years ago

Block tty ioctls like TIOCSTI in Linux content processes

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Unspecified
Linux
enhancement

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox58 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Blocks 1 open bug)

Details

(Whiteboard: sb+)

Attachments

(1 file)

I'd like to eventually restrict ioctl() in Linux content processes with a default-deny policy, but that may need some iteration to deal with breakage in unusual considerations.

However, one thing we can do now is to block tty ioctls, including and especially TIOCSTI, as mentioned in bug 1302711 and CVE-2016-9016.  It's not the worst sandbox escape we have at the time of this writing, but it has a very simple fix with relatively little scope for collateral damage.
Priority: P2 → P1
Whiteboard: sb+
Comment on attachment 8915464 [details]
Bug 1405891 - Block tty-related ioctl()s in sandboxed content processes.

https://reviewboard.mozilla.org/r/186664/#review191930

::: security/sandbox/linux/SandboxFilter.cpp:717
(Diff revision 1)
>      case __NR_readahead:
>  #endif
>        return Allow();
>  
> -    case __NR_ioctl:
> -      // ioctl() is for GL. Remove when GL proxy is implemented.
> +    case __NR_ioctl: {
> +      static const unsigned long kTypeMask = 0xff00;

I'd like a reference here where these magic numbers come from.
Attachment #8915464 - Flags: review?(gpascutto) → review+
Comment on attachment 8915464 [details]
Bug 1405891 - Block tty-related ioctl()s in sandboxed content processes.

I changed how the constants are computed, and improved the comment.
Attachment #8915464 - Flags: review+ → review?(gpascutto)
Comment on attachment 8915464 [details]
Bug 1405891 - Block tty-related ioctl()s in sandboxed content processes.

https://reviewboard.mozilla.org/r/186664/#review192350
Attachment #8915464 - Flags: review?(gpascutto) → review+
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fb637352a959
Block tty-related ioctl()s in sandboxed content processes. r=gcp
https://hg.mozilla.org/mozilla-central/rev/fb637352a959
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Depends on: 1435523
No longer depends on: 1435523
You need to log in before you can comment on or make changes to this bug.