[PATCH 2/2] selinux: add capability checks for TIOCSTI ioctl
From: Abhinav Saxena via B4 Relay
Date: Sun Jun 22 2025 - 21:41:35 EST
From: Abhinav Saxena <xandfury@xxxxxxxxx>
The TIOCSTI ioctl currently only checks the current process's
credentials, creating a TOCTOU vulnerability where an unprivileged
process can open a TTY fd and pass it to a privileged process via
SCM_RIGHTS.
Fix by requiring BOTH the file opener (file->f_cred) AND the current
process to have CAP_SYS_ADMIN. This prevents privilege escalation
while ensuring legitimate use cases continue to work.
Link: https://github.com/KSPP/linux/issues/156
Signed-off-by: Abhinav Saxena <xandfury@xxxxxxxxx>
---
security/selinux/hooks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 595ceb314aeb..a628551873ab 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3847,6 +3847,12 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
CAP_OPT_NONE, true);
break;
+ case TIOCSTI:
+ if (!file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN) ||
+ !capable(CAP_SYS_ADMIN))
+ error = -EPERM;
+ break;
+
case FIOCLEX:
case FIONCLEX:
if (!selinux_policycap_ioctl_skip_cloexec())
--
2.43.0