runcon: disable use of the TIOCSTI ioctl

Similar to the issue with SELinux sandbox (CVE-2016-7545),
children of runcon can inject arbitrary input to the terminal
that would be run at the originating terminal privileges.

The new libseccomp dependency is widely available and used
on modern SELinux systems, but is not available by default
on older systems like RHEL6 etc.

* m4/jm-macros.m4: Check for libseccomp and
warn if unavailable on selinux supporting systems.
* src/local.mk: Link runcon with -lseccomp.
* src/runcon.c (disable_tty_inject): A new function to
disable use of the TIOCSTI using libseccomp, or with setsid()
where libseccomp is unavailable.
* tests/misc/runcon-no-inject.sh: A new test that uses
python to make the TIOCSTI call, and ensure that doesn't succeed.
* tests/local.mk: Reference the new test
* NEWS: Mention the fix.
Addresses http://bugs.gnu.org/24541

NEWS

@@ -72,6 +72,10 @@ GNU coreutils NEWS                                    -*- outline -*-
   non regular files are specified, as inotify is ineffective with these.
   [bug introduced with inotify support added in coreutils-7.5]
 
+  runcon now disables use of the TIOCSTI ioctl in its children, which could
+  be used to inject commands to the terminal and run at the original context.
+  [the issue dates back to the initial implementation]
+
   uptime no longer outputs the AM/PM component of the current time,
   as that's inconsistent with the 24 hour time format used.
   [bug introduced in coreutils-7.0]

m4/jm-macros.m4

@@ -63,6 +63,19 @@ AC_DEFUN([coreutils_MACROS],
         esac
       fi
     ])
+
+    # Used by runcon.c
+    LIB_SECCOMP=
+    AC_SUBST([LIB_SECCOMP])
+    if test "$with_selinux" != no; then
+      AC_SEARCH_LIBS([seccomp_init], [seccomp],
+        [test "$ac_cv_search_seccomp_init" = "none required" ||
+          LIB_SECCOMP=$ac_cv_search_seccomp_init
+         AC_DEFINE([HAVE_SECCOMP], [1], [libseccomp usability])],
+        [test "$ac_cv_header_selinux_selinux_h" = yes &&
+         AC_MSG_WARN([libseccomp library was not found or not usable])
+         AC_MSG_WARN([runcon will be vulnerable to tty injection])])
+    fi
   LIBS=$coreutils_saved_libs
 
   # Used by sort.c.

src/local.mk

@@ -243,6 +243,7 @@ src_mkfifo_LDADD += $(LIB_SMACK)
 src_mknod_LDADD += $(LIB_SELINUX)
 src_mknod_LDADD += $(LIB_SMACK)
 src_runcon_LDADD += $(LIB_SELINUX)
+src_runcon_LDADD += $(LIB_SECCOMP)
 src_stat_LDADD += $(LIB_SELINUX)
 
 # for nvlist_lookup_uint64_array

src/runcon.c

@@ -45,6 +45,10 @@
 #include <getopt.h>
 #include <selinux/selinux.h>
 #include <selinux/context.h>
+#ifdef HAVE_SECCOMP
+# include <seccomp.h>
+# include <sys/ioctl.h>
+#endif
 #include <sys/types.h>
 #include "system.h"
 #include "die.h"
@@ -102,6 +106,28 @@ With neither CONTEXT nor COMMAND, print the current security context.\n\
   exit (status);
 }
 
+static void
+disable_tty_inject (void)
+{
+#ifdef HAVE_SECCOMP
+  scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_ALLOW);
+  if (! ctx)
+    die (EXIT_FAILURE, 0, _("failed to initialize seccomp context"));
+  if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EPERM), SCMP_SYS (ioctl), 1,
+                        SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)) < 0)
+    die (EXIT_FAILURE, 0, _("failed to add seccomp rule"));
+  if (seccomp_load (ctx) < 0)
+    die (EXIT_FAILURE, 0, _("failed to load seccomp rule"));
+  seccomp_release (ctx);
+#else
+  /* This may have unwanted side effects, but is a fallback
+     on older systems without libseccomp.  */
+  if (setsid () != 0)
+    die (EXIT_FAILURE, errno, _("cannot create session"));
+#endif /* HAVE_SECCOMP */
+}
+
+
 int
 main (int argc, char **argv)
 {
@@ -195,6 +221,8 @@ main (int argc, char **argv)
     die (EXIT_FAILURE, 0, _("%s may be used only on a SELinux kernel"),
          program_name);
 
+  disable_tty_inject ();
+
   if (context)
     {
       con = context_new (context);

tests/local.mk

@@ -333,6 +333,7 @@ all_tests =					\
   tests/misc/readlink-root.sh			\
   tests/misc/realpath.sh			\
   tests/misc/runcon-no-reorder.sh		\
+  tests/misc/runcon-no-inject.sh		\
   tests/misc/sha1sum.pl				\
   tests/misc/sha1sum-vec.pl			\
   tests/misc/sha224sum.pl			\

tests/misc/runcon-no-inject.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+# Ensure that runcon does not reorder its arguments.
+
+# Copyright (C) 2017 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ runcon
+
+cat <<\EOF >inject.py || framework_failure_
+import fcntl, termios
+fcntl.ioctl(0, termios.TIOCSTI, '\n')
+EOF
+
+python inject.py || skip_ 'python TIOCSTI check failed'
+
+returns_ 1 runcon $(id -Z) python inject.py || fail=1
+
+Exit $fail