Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <ZO3r42zKRrypg/eM@google.com>
Date: Tue, 29 Aug 2023 15:00:19 +0200
From: "Günther Noack" <gnoack@...gle.com>
To: Samuel Thibault <samuel.thibault@...-lyon.org>, Greg KH <gregkh@...uxfoundation.org>, 
	"Hanno Böck" <hanno@...eck.de>, kernel-hardening@...ts.openwall.com, 
	Kees Cook <keescook@...omium.org>, Jiri Slaby <jirislaby@...nel.org>, 
	Geert Uytterhoeven <geert@...ux-m68k.org>, Paul Moore <paul@...l-moore.com>, 
	David Laight <David.Laight@...lab.com>, Simon Brand <simon.brand@...tadigitale.de>, 
	Dave Mielke <Dave@...lke.cc>, "Mickaël Salaün" <mic@...ikod.net>, KP Singh <kpsingh@...gle.com>, 
	Nico Schottelius <nico-gpm2008@...ottelius.org>
Subject: Re: [PATCH v3 0/1] Restrict access to TIOCLINUX

Hello Samuel!

On Mon, Aug 28, 2023 at 06:45:21PM +0200, Samuel Thibault wrote:
> Günther Noack, le lun. 28 août 2023 18:41:16 +0200, a ecrit:
> BRLTTY also uses it. It is also admin, so your change is fine :)
> 
> FI, https://codesearch.debian.net/ is a very convenient tool to check
> what FOSS might be using something.

Thanks, that is an excellent pointer!

Let me update the list of known usages then: The TIOCL_SETSEL, TIOCL_PASTESEL
and TIOCL_SELLOADLUT mentions found on codesearch.debian.net are:

(1) Actual invocations:

 * consolation:
     "consolation" is a gpm clone, which also runs as root.
     (I have not had the chance to test this one yet.)
 * BRLTTY:
     Uses TIOCL_SETSEL as a means to highlight portions of the screen.
     The TIOCSTI patch made BRLTTY work by requiring CAP_SYS_ADMIN,
     so we know that BRLTTY has that capability (it runs as root and
     does not drop it).

(2) Some irrelevant matches:

 * snapd: has a unit test mentioning it, to test their seccomp filters
 * libexplain: mentions it, but does not call it (it's a library for
   human-readably decoding system calls)
 * manpages: documentation


*Outside* of codesearch.debian.org:

 * gpm:
     I've verified that this works with the patch.
     (To my surprise, Debian does not index this project's code.)

FWIW, I also briefly looked into "jamd" (https://jamd.sourceforge.net/), which
was mentioned as similar in the manpage for "consolation", but that software
does not use any ioctls at all.

So overall, it still seems like nothing should break. 👍

—Günther

-- 
Sent using Mutt 🐕 Woof Woof

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.