From b3a87aa907c18a01da1f3b570177f4cc1ca251b7 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Thu, 2 May 2024 13:30:42 +0300 Subject: [PATCH] Restore the `dev.tty.legacy_tiocsti` check The kernel documentations says: ``` Historically the kernel has allowed TIOCSTI, which will push characters into a controlling TTY. This continues to be used as a malicious privilege escalation mechanism, and provides no meaningful real-world utility any more. Its use is considered a dangerous legacy operation, and can be disabled on most systems. ``` https://elixir.bootlin.com/linux/v6.8.8/source/drivers/tty/Kconfig#L152 In other words, not having the `dev.tty.legacy_tiocsti` sysctl means that the dangerous functionality is enabled by default. --- kernel_hardening_checker/checks.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index feb36ee..9093b9b 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -681,8 +681,7 @@ def add_sysctl_checks(l, _arch): AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'), have_config_file))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')] - l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0'), - SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', 'is not set'))] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')] l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'), AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'), have_config_file))] -- 2.31.1