Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Sep 2023 15:32:29 +0200
From: "Günther Noack" <>
To: Samuel Thibault <>, Greg KH <>, 
	"Hanno Böck" <>,, 
	Kees Cook <>, Jiri Slaby <>, 
	Geert Uytterhoeven <>, Paul Moore <>, 
	David Laight <>, Simon Brand <>, 
	Dave Mielke <>, "Mickaël Salaün" <>, KP Singh <>, 
	Nico Schottelius <>
Subject: Re: [PATCH v3 0/1] Restrict access to TIOCLINUX

On Tue, Aug 29, 2023 at 03:00:19PM +0200, Günther Noack wrote:
> Let me update the list of known usages then: The TIOCL_SETSEL, TIOCL_PASTESEL
> and TIOCL_SELLOADLUT mentions found on are:
> (1) Actual invocations:
>  * consolation:
>      "consolation" is a gpm clone, which also runs as root.
>      (I have not had the chance to test this one yet.)

I have tested the consolation program with a kernel that has the patch, and it
works as expected -- you can copy and paste on the console.

>  * BRLTTY:
>      Uses TIOCL_SETSEL as a means to highlight portions of the screen.
>      The TIOCSTI patch made BRLTTY work by requiring CAP_SYS_ADMIN,
>      so we know that BRLTTY has that capability (it runs as root and
>      does not drop it).
> (2) Some irrelevant matches:
>  * snapd: has a unit test mentioning it, to test their seccomp filters
>  * libexplain: mentions it, but does not call it (it's a library for
>    human-readably decoding system calls)
>  * manpages: documentation
> *Outside* of
>  * gpm:
>      I've verified that this works with the patch.
>      (To my surprise, Debian does not index this project's code.)

(As Samuel pointed out, I was wrong there - Debian does index it, but it does
not use the #defines from the headers... who would have thought...)

> FWIW, I also briefly looked into "jamd" (, which
> was mentioned as similar in the manpage for "consolation", but that software
> does not use any ioctls at all.
> So overall, it still seems like nothing should break. 👍

Summarizing the above - the only three programs which are known to use the
affected TIOCLINUX subcommands are:

* consolation (tested)
* gpm (tested)
* BRLTTY (known to work with TIOCSTI, where the same CAP_SYS_ADMIN requirement
  is imposed for a while now)

I think that this is a safe change for the existing usages and that we have done
the due diligence required to turn off these features.

Greg, could you please have another look?


Sent using Mutt 🐕 Woof Woof

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.