From nobody Mon Jul 21 02:13:45 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4blkTj592Nz61xv2; Mon, 21 Jul 2025 02:13:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4blkTj2dKZz3NF1; Mon, 21 Jul 2025 02:13:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753064025; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iLmS7HjVE/G+Xza35+NHDWm8hZq4jmbYCl4oqOhovvU=; b=O1P5o9WiUMW87cZXP7mmYpYRYCUdbka1SGFKJFDqzOvH3fT46znYmzMDEMFszaLvTsC6YQ E75Dg5YjULekx2UxFVg1SDVThGXfoljeL5md7AE89JzeTYG/xGg+6CmJihDVvVd9tqJrPu TJ2j6JPvmN8ZLGkeykgOVRLJ7VHi08lJgdeMIwztFxUlIMktEKHw6R72CIrcSBR9iGM7NU nWbW+q6qEk1BbqMe/PbpjCQGWhMUqnfwN6Ye9HUlboC5GXwTmTIumEXmzVDT4QPGsFDuZ8 SMIfBZuYRkFCkGFswK8/Y7Ps6YiJpomblMGzeFwUI9JcFd71Xj8GHWS7EtmEnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753064025; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iLmS7HjVE/G+Xza35+NHDWm8hZq4jmbYCl4oqOhovvU=; b=Hp+kmInw8Xp4KOBX1PouXWEeU7BTk66RuQ9oeGo4a967YNxhCEsurZEGxRjE883ZZjCKVz JCbY2fGoVLVtN+1ZKDQPSQ5OWQwwhrvrZVLu9BazFVFfw+F9AYficxjWDOUY2wuP4cAjku 8Zx8HjPLJw1/nWrgLvX7Ia6MyQrdnIZh0jpdmCwa/jVFmIbZhpIh4n4hEQKKBB/E9IOPBD Hfyx3ZwNawBaWevUtUXetV7JikAxmg5gVDGxw/g/7nBiPqoB0aKvZj32WOrPEbVYmHpe6x 3RoNbGGxh8aLgZVTRCUbDe/2efy3ej6Lzhlqz0DPXWU2ySjZoCj2Pp93Ep8Cvg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753064025; a=rsa-sha256; cv=none; b=Lm3yundr3TY2HiaFDH1gsuy4DMXSGohCOhKS033I4KFEOEgqqAy8jgbmiwZoGwO+6sqYmm Sord7Lu6XNhfPH9XXHjcnomrMNdXukTROXC1A+BETE3hqwlFwepS4uyvXXaLOk187IaGyX lkSRF3x7dPbi8j5ppgBi/MAlzR6E5nJMbH8WysTgMA3lFt0+9kR7xoY+oporZ8PEYZQbf0 yvptr+09uMiJ+pTTr7BL8062OPRxkZaT8dfKxkGMSk5oxW+6Pmu2DbzwVA4r64t6zAX3NL 9cqAfsDUNPaqH9ICsdSsK4jJ1Ws28ef5fCl+plfafxRix0dn4Bsvqnbn3w3HHw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4blkTj2BVPzfJh; Mon, 21 Jul 2025 02:13:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56L2DjbS013509; Mon, 21 Jul 2025 02:13:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56L2Dj9l013506; Mon, 21 Jul 2025 02:13:45 GMT (envelope-from git) Date: Mon, 21 Jul 2025 02:13:45 GMT Message-Id: <202507210213.56L2Dj9l013506@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: f099c6b3a423 - stable/14 - kern: tty: refactor TIOCSTI privilege checks slightly List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f099c6b3a423a78c1367a11fd987457ae592924f Auto-Submitted: auto-generated The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=f099c6b3a423a78c1367a11fd987457ae592924f commit f099c6b3a423a78c1367a11fd987457ae592924f Author: Kyle Evans AuthorDate: 2025-05-28 01:19:17 +0000 Commit: Kyle Evans CommitDate: 2025-07-21 02:12:25 +0000 kern: tty: refactor TIOCSTI privilege checks slightly This removes some repetition from it and makes the flow a little more obvious. Future work may find some way to add more constraints to the unprivileged path, add a security sysctl to disable it, or perhaps some combination of the two. Reviewed by: kib, markj (cherry picked from commit 59fc4cda1bfa712c46d407d1e83bdd5c63e6e0e3) --- sys/kern/tty.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/sys/kern/tty.c b/sys/kern/tty.c index b1b3b268d0e9..47f9f25cec37 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1643,6 +1643,24 @@ tty_set_winsize(struct tty *tp, const struct winsize *wsz) tty_signal_pgrp(tp, SIGWINCH); } +static int +tty_sti_check(struct tty *tp, int fflag, struct thread *td) +{ + /* Root can bypass all of our constraints. */ + if (priv_check(td, PRIV_TTY_STI) == 0) + return (0); + + /* Unprivileged users must have it opened for read. */ + if ((fflag & FREAD) == 0) + return (EPERM); + + /* It must also be their controlling tty. */ + if (!tty_is_ctty(tp, td->td_proc)) + return (EACCES); + + return (0); +} + static int tty_generic_ioctl(struct tty *tp, u_long cmd, void *data, int fflag, struct thread *td) @@ -1988,11 +2006,9 @@ tty_generic_ioctl(struct tty *tp, u_long cmd, void *data, int fflag, tty_info(tp); return (0); case TIOCSTI: - if ((fflag & FREAD) == 0 && priv_check(td, PRIV_TTY_STI)) - return (EPERM); - if (!tty_is_ctty(tp, td->td_proc) && - priv_check(td, PRIV_TTY_STI)) - return (EACCES); + error = tty_sti_check(tp, fflag, td); + if (error != 0) + return (error); ttydisc_rint(tp, *(char *)data, 0); ttydisc_rint_done(tp); return (0);