git: 16532b220c9c - stable/15 - tty: Add sysctl knob to globally disable TIOCSTI

The branch stable/15 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=16532b220c9cbd9fb0365a80a23cc435003e9986

commit 16532b220c9cbd9fb0365a80a23cc435003e9986
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2026-05-25 13:59:40 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2026-06-14 20:08:29 +0000

    tty: Add sysctl knob to globally disable TIOCSTI
    
    Reviewed by:    markj
    PR:             293485
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D57233
    
    (cherry picked from commit c289291a6736c01dd68fb8459ec3801859b0a59a)
    (cherry picked from commit c94b8eee5bcb5f9d116cce9c831933115cfeeb19)
---
 sys/kern/tty.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index afba05ec27b4..5f6afa49b70d 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -101,6 +101,10 @@ static int  tty_drainwait = 5 * 60;
 SYSCTL_INT(_kern, OID_AUTO, tty_drainwait, CTLFLAG_RWTUN,
     &tty_drainwait, 0, "Default output drain timeout in seconds");
 
+static bool tty_tiocsti = true;
+SYSCTL_BOOL(_security_bsd, OID_AUTO, allow_tiocsti, CTLFLAG_RWTUN,
+    &tty_tiocsti, 0, "Allow TIOCSTI ioctl");
+
 /*
  * Set TTY buffer sizes.
  */
@@ -1651,6 +1655,10 @@ tty_set_winsize(struct tty *tp, const struct winsize *wsz)
 static int
 tty_sti_check(struct tty *tp, int fflag, struct thread *td)
 {
+	/* Check for global disable. */
+	if (!tty_tiocsti)
+		return (EPERM);
+
 	/* Root can bypass all of our constraints. */
 	if (priv_check(td, PRIV_TTY_STI) == 0)
 		return (0);