View Issue Details

IDProjectCategoryView StatusLast Update
0000130fileGeneralpublic2020-01-17 17:20
Reportertobias Assigned Tochristos  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.38 
Fixed in Version5.39 
Summary0000130: sandbox blocks required TCGETS on console with glibc
DescriptionCalling file from a terminal like tty0, i.e. not from a terminal emulator or multiplexer, just plain old /bin/bash as login shell, results in a bad system call.

The problem is that glibc on a terminal calls ioctl TCGETS, which is not allowed by sandbox.

I have attached a patch that fixes the issue.
Steps To Reproduce1. Log in on a tty, do not use a virtual terminal emulator like xterm etc.
2. Call "file /" or anything else which accesses the file system
3. You see "Bad system call"
4. Call "strace file /" and notice that ioctl(1, TCGETS, ...) = ?" gets interrupted
Additional InformationI'm using:

- x86_64
- linux 5.4.10
- glibc 2.30
- libseccomp 2.4.2
- file 5.38 (compiled with libseccomp support)
TagsNo tags attached.

Activities

tobias

2020-01-11 11:07

reporter  

file-5.38-seccomp.patch (431 bytes)   
diff --git a/src/seccomp.c b/src/seccomp.c
index ebf3ea1c..02025295 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -188,6 +188,10 @@ enable_sandbox_full(void)
 #ifdef TIOCGWINSZ
 	// musl libc may call ioctl TIOCGWINSZ when calling stdout
 	ALLOW_IOCTL_RULE(TIOCGWINSZ);
+#endif
+#ifdef TCGETS
+	// glibc may call ioctl TCGETS when calling stdout
+	ALLOW_IOCTL_RULE(TCGETS);
 #endif
 	ALLOW_RULE(lseek);
  	ALLOW_RULE(_llseek);
file-5.38-seccomp.patch (431 bytes)   

christos

2020-01-17 17:20

manager   ~0003342

Fixed, thanks!

Issue History

Date Modified Username Field Change
2020-01-11 11:07 tobias New Issue
2020-01-11 11:07 tobias File Added: file-5.38-seccomp.patch
2020-01-17 17:19 christos Assigned To => christos
2020-01-17 17:19 christos Status new => assigned
2020-01-17 17:20 christos Status assigned => resolved
2020-01-17 17:20 christos Resolution open => fixed
2020-01-17 17:20 christos Fixed in Version => 5.39
2020-01-17 17:20 christos Note Added: 0003342