[PATCH] tty: replace capable() with file_ns_capable()
From: Pranav Tyagi
Date: Sat Jun 07 2025 - 09:42:24 EST
The TIOCCONS ioctl currently uses capable(CAP_SYS_ADMIN) to check for
privileges, which validates the current task's credentials. Since this
ioctl acts on an open file descriptor, the check should instead use the
file opener's credentials.
Replace capable() with file_ns_capable() to ensure the capability is
checked against file->f_cred in the correct user namespace. This
prevents unintended privilege escalation and aligns with best practices
for secure ioctl implementations.
Signed-off-by: Pranav Tyagi <pranav.tyagi03@xxxxxxxxx>
Link: https://github.com/KSPP/linux/issues/156
---
drivers/tty/tty_io.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index e2d92cf70eb7..ee0df35d65c3 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -102,6 +102,9 @@
#include <linux/uaccess.h>
#include <linux/termios_internal.h>
#include <linux/fs.h>
+#include <linux/cred.h>
+#include <linux/user_namespace.h>
+#include <linux/capability.h>
#include <linux/kbd_kern.h>
#include <linux/vt_kern.h>
@@ -2379,7 +2382,7 @@ static int tiocswinsz(struct tty_struct *tty, struct winsize __user *arg)
*/
static int tioccons(struct file *file)
{
- if (!capable(CAP_SYS_ADMIN))
+ if (!file_ns_capable(file, file->f_cred->user_ns, CAP_SYS_ADMIN))
return -EPERM;
if (file->f_op->write_iter == redirected_tty_write) {
struct file *f;
--
2.49.0