sudo: allow transmitting SIGWINCH to its child
When resizing the X11 window of a terminal running sudo on a remote
Debian 10 system (through ssh), sudo forwards SIGWINCH to its children
(this behavior might be caused by using "Defaults use_pty" in
/etc/sudoers). This leads to the following audit logs:
type=AVC msg=audit(1567880108.988:13823): avc: denied { signal }
for pid=15670 comm="sudo" scontext=sysadm_u:sysadm_r:sysadm_sudo_t
tcontext=sysadm_u:sysadm_r:sysadm_t tclass=process permissive=0
type=SYSCALL msg=audit(1567880108.988:13823): arch=c000003e
syscall=62 success=no exit=-13 a0=ffffc2c9 a1=1c a2=ffffffff a3=100
items=0 ppid=15607 pid=15670 auid=1000 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=721 comm="sudo"
exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)
type=PROCTITLE msg=audit(1567880108.988:13823):
proctitle=2F7573722F62696E2F7375646F002D73
The process tree (ps -ef, edited) on this remote system was:
LABEL UID PID PPID TTY CMD
system_u:system_r:sshd_t user 15519 15480 ? sshd: user@pts/5
sysadm_u:sysadm_r:sysadm_t user 15524 15519 pts/5 -zsh
sysadm_u:sysadm_r:sysadm_sudo_t root 15607 15524 pts/5 /usr/bin/sudo -s
sysadm_u:sysadm_r:sysadm_sudo_t root 15670 15607 pts/6 /usr/bin/sudo -s
sysadm_u:sysadm_r:sysadm_t root 15671 15670 pts/6 /usr/bin/zsh
The denied syscall was:
* syscall=62: int kill(pid_t pid, int sig)
* a0=ffffc2c9: pid = -15671 (process group of sudo's child)
* a1=1c: sig = 28 = SIGWINCH
Allow such a signal to be transmitted.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss
parent
a5dab43a85
commit
42b966d2df
|
|
@ -69,6 +69,9 @@ template(`sudo_role_template',`
|
|||
|
||||
allow $1_sudo_t $3:key search;
|
||||
|
||||
# Transmit SIGWINCH to children
|
||||
allow $1_sudo_t $3:process signal;
|
||||
|
||||
# Enter this derived domain from the user domain
|
||||
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue