From 42b966d2df6a0d1264ff1c382eb9d4c6826164c2 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sat, 14 Sep 2019 13:58:39 +0200 Subject: [PATCH 1/2] sudo: allow transmitting SIGWINCH to its child When resizing the X11 window of a terminal running sudo on a remote Debian 10 system (through ssh), sudo forwards SIGWINCH to its children (this behavior might be caused by using "Defaults use_pty" in /etc/sudoers). This leads to the following audit logs: type=AVC msg=audit(1567880108.988:13823): avc: denied { signal } for pid=15670 comm="sudo" scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_t tclass=process permissive=0 type=SYSCALL msg=audit(1567880108.988:13823): arch=c000003e syscall=62 success=no exit=-13 a0=ffffc2c9 a1=1c a2=ffffffff a3=100 items=0 ppid=15607 pid=15670 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=721 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null) type=PROCTITLE msg=audit(1567880108.988:13823): proctitle=2F7573722F62696E2F7375646F002D73 The process tree (ps -ef, edited) on this remote system was: LABEL UID PID PPID TTY CMD system_u:system_r:sshd_t user 15519 15480 ? sshd: user@pts/5 sysadm_u:sysadm_r:sysadm_t user 15524 15519 pts/5 -zsh sysadm_u:sysadm_r:sysadm_sudo_t root 15607 15524 pts/5 /usr/bin/sudo -s sysadm_u:sysadm_r:sysadm_sudo_t root 15670 15607 pts/6 /usr/bin/sudo -s sysadm_u:sysadm_r:sysadm_t root 15671 15670 pts/6 /usr/bin/zsh The denied syscall was: * syscall=62: int kill(pid_t pid, int sig) * a0=ffffc2c9: pid = -15671 (process group of sudo's child) * a1=1c: sig = 28 = SIGWINCH Allow such a signal to be transmitted. Signed-off-by: Nicolas Iooss --- policy/modules/admin/sudo.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 3a27291e8..186ddb6f1 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -69,6 +69,9 @@ template(`sudo_role_template',` allow $1_sudo_t $3:key search; + # Transmit SIGWINCH to children + allow $1_sudo_t $3:process signal; + # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) From 1097ce0e24ad53c87bbe25df11048cf90b557ff3 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sat, 14 Sep 2019 14:00:58 +0200 Subject: [PATCH 2/2] sudo: allow using CAP_KILL for SIGWINCH With the following process tree: LABEL UID PID PPID TTY CMD sysadm_u:sysadm_r:sysadm_t root 18146 12404 pts/0 /usr/bin/zsh sysadm_u:sysadm_r:sysadm_sudo_t root 18441 18146 pts/0 sudo -su user sysadm_u:sysadm_r:sysadm_sudo_t root 18443 18441 pts/1 sudo -su user sysadm_u:sysadm_r:sysadm_t user 18444 18443 pts/1 /usr/bin/zsh When the terminal window of the first process is resized, SIGWINCH is forwarded by process 18443, which requests capability CAP_KILL: type=AVC msg=audit(1567881640.754:13839): avc: denied { kill } for pid=18443 comm="sudo" capability=5 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_sudo_t tclass=capability permissive=0 type=SYSCALL msg=audit(1567881640.754:13839): arch=c000003e syscall=62 success=no exit=-1 a0=ffffb7f4 a1=1c a2=ffffffff a3=100 items=0 ppid=18441 pid=18443 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=690 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null) type=PROCTITLE msg=audit(1567881640.754:13839): proctitle=7375646F002D73750075736572 Signed-off-by: Nicolas Iooss --- policy/modules/admin/sudo.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 186ddb6f1..c1459364b 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -52,7 +52,7 @@ template(`sudo_role_template',` # # Use capabilities. - allow $1_sudo_t self:capability { chown dac_override fowner setgid setuid sys_nice sys_resource }; + allow $1_sudo_t self:capability { chown dac_override fowner kill setgid setuid sys_nice sys_resource }; allow $1_sudo_t self:process { signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr getrlimit rlimitinh siginh transition setsockcreate dyntransition noatsecure setkeycreate }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use;