From: Alexander Popov Date: Thu, 2 May 2024 10:30:42 +0000 (+0300) Subject: Restore the `dev.tty.legacy_tiocsti` check X-Git-Tag: v0.6.10~73^2~3 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=b3a87aa907c18a01da1f3b570177f4cc1ca251b7;p=kconfig-hardened-check.git Restore the `dev.tty.legacy_tiocsti` check The kernel documentations says: ``` Historically the kernel has allowed TIOCSTI, which will push characters into a controlling TTY. This continues to be used as a malicious privilege escalation mechanism, and provides no meaningful real-world utility any more. Its use is considered a dangerous legacy operation, and can be disabled on most systems. ``` https://elixir.bootlin.com/linux/v6.8.8/source/drivers/tty/Kconfig#L152 In other words, not having the `dev.tty.legacy_tiocsti` sysctl means that the dangerous functionality is enabled by default. --- diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index feb36ee..9093b9b 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -681,8 +681,7 @@ def add_sysctl_checks(l, _arch): AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'), have_config_file))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')] - l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0'), - SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', 'is not set'))] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')] l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'), AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'), have_config_file))]