runcon: disable use of the TIOCSTI ioctl

Similar to the issue with SELinux sandbox (CVE-2016-7545),
children of runcon can inject arbitrary input to the terminal
that would be run at the originating terminal privileges.

The new libseccomp dependency is widely available and used
on modern SELinux systems, but is not available by default
on older systems like RHEL6 etc.

* m4/jm-macros.m4: Check for libseccomp and
warn if unavailable on selinux supporting systems.
* src/local.mk: Link runcon with -lseccomp.
* src/runcon.c (disable_tty_inject): A new function to
disable use of the TIOCSTI using libseccomp, or with setsid()
where libseccomp is unavailable.
* tests/misc/runcon-no-inject.sh: A new test that uses
python to make the TIOCSTI call, and ensure that doesn't succeed.
* tests/local.mk: Reference the new test
* NEWS: Mention the fix.
Addresses http://bugs.gnu.org/24541

1 files changed, 13 insertions, 0 deletions

diff --git a/m4/jm-macros.m4 b/m4/jm-macros.m4
index ef915bd37..de0657b82 100644
--- a/m4/jm-macros.m4
+++ b/m4/jm-macros.m4
@@ -63,6 +63,19 @@ AC_DEFUN([coreutils_MACROS],
         esac
       fi
     ])
+
+    # Used by runcon.c
+    LIB_SECCOMP=
+    AC_SUBST([LIB_SECCOMP])
+    if test "$with_selinux" != no; then
+      AC_SEARCH_LIBS([seccomp_init], [seccomp],
+        [test "$ac_cv_search_seccomp_init" = "none required" ||
+          LIB_SECCOMP=$ac_cv_search_seccomp_init
+         AC_DEFINE([HAVE_SECCOMP], [1], [libseccomp usability])],
+        [test "$ac_cv_header_selinux_selinux_h" = yes &&
+         AC_MSG_WARN([libseccomp library was not found or not usable])
+         AC_MSG_WARN([runcon will be vulnerable to tty injection])])
+    fi
   LIBS=$coreutils_saved_libs
 
   # Used by sort.c.