Block TIOCLINUX ioctl in seccomp arg-level filter

Signed-off-by: Cong Wang <cwang@multikernel.io>

Author: congwang-mk

src/sandlock/_seccomp.py

@@ -79,9 +79,13 @@
     | CLONE_NEWNET | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWCGROUP
 )
 
-# Dangerous ioctl commands — TIOCSTI allows injecting input into
-# another terminal session (terminal escape attack).
+# Dangerous ioctl commands:
+# - TIOCSTI: inject input into another terminal session (terminal escape)
+# - TIOCLINUX: access kernel console (keystroke injection on VTs,
+#   selection buffer read, keyboard reprogramming)
 TIOCSTI = 0x5412
+TIOCLINUX = 0x541C
+_DANGEROUS_IOCTLS = (TIOCSTI, TIOCLINUX)
 
 # Dangerous prctl(2) options — these allow a sandboxed process to
 # weaken its own confinement.
@@ -304,7 +308,7 @@ def _build_arg_filters() -> bytes:
     - clone(2): Block namespace flags (CLONE_NEW*) with ERRNO.
       Plain forks fall through to the main filter (USER_NOTIF if
       clone is in the notif list, or ALLOW if not).
-    - ioctl(2): Block TIOCSTI (terminal input injection).
+    - ioctl(2): Block TIOCSTI and TIOCLINUX (terminal attacks).
     - prctl(2): Block dangerous options (PR_SET_DUMPABLE,
       PR_SET_SECCOMP, PR_SET_SECUREBITS, PR_SET_PTRACER).
     """
@@ -323,16 +327,17 @@ def _build_arg_filters() -> bytes:
         insns += _bpf_jump(BPF_JMP | BPF_JSET | BPF_K, _CLONE_NS_FLAGS, 0, 1)
         insns += _bpf_stmt(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ERRNO_EPERM)
 
-    # --- ioctl: block TIOCSTI (terminal input injection) ---
-    # Load syscall number
+    # --- ioctl: block dangerous commands (TIOCSTI, TIOCLINUX) ---
     insns += _bpf_stmt(BPF_LD | BPF_W | BPF_ABS, OFFSET_NR)
-    # if nr != ioctl, skip ahead
-    insns += _bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, _SYSCALL_NR["ioctl"], 0, 3)
+    n_ioctls = len(_DANGEROUS_IOCTLS)
+    # if nr != ioctl, skip: 1 (load arg1) + n_ioctls*2 (check+deny each)
+    skip_count = 1 + n_ioctls * 2
+    insns += _bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, _SYSCALL_NR["ioctl"], 0, skip_count)
     # Load ioctl request (arg1, low 32 bits)
     insns += _bpf_stmt(BPF_LD | BPF_W | BPF_ABS, OFFSET_ARGS1_LO)
-    # if request == TIOCSTI → deny
-    insns += _bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, TIOCSTI, 0, 1)
-    insns += _bpf_stmt(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ERRNO_EPERM)
+    for cmd in _DANGEROUS_IOCTLS:
+        insns += _bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, cmd, 0, 1)
+        insns += _bpf_stmt(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ERRNO_EPERM)
 
     # --- prctl: block dangerous options that weaken the sandbox ---
     insns += _bpf_stmt(BPF_LD | BPF_W | BPF_ABS, OFFSET_NR)

tests/test_integration.py

@@ -301,6 +301,24 @@ def test_default_deny_blocks_ptrace(self):
 ret = libc.ptrace(0, 0, 0, 0)  # PTRACE_TRACEME
 err = ctypes.get_errno()
 print("BLOCKED" if err == errno.EPERM else f"UNEXPECTED {err}")
+"""]
+        )
+        assert result.success
+        assert b"BLOCKED" in result.stdout
+
+    def test_ioctl_tioclinux_blocked(self):
+        """TIOCLINUX ioctl is blocked by arg-level seccomp filter."""
+        policy = Policy(fs_readable=_PYTHON_READABLE)
+        result = Sandbox(policy).run(
+            ["python3", "-c", """
+import ctypes, ctypes.util, errno, fcntl
+TIOCLINUX = 0x541C
+buf = ctypes.create_string_buffer(1)
+try:
+    fcntl.ioctl(0, TIOCLINUX, buf)
+    print("ALLOWED")
+except OSError as e:
+    print("BLOCKED" if e.errno == errno.EPERM else f"UNEXPECTED {e.errno}")
 """]
         )
         assert result.success

tests/test_seccomp.py

@@ -8,10 +8,12 @@
 from sandlock._seccomp import (
     AUDIT_ARCH,
     DEFAULT_DENY_SYSCALLS,
+    TIOCLINUX,
     TIOCSTI,
     _ARCH_AARCH64,
     _ARCH_X86_64,
     _CLONE_NS_FLAGS,
+    _DANGEROUS_IOCTLS,
     _DANGEROUS_PRCTL_OPS,
     _MACHINE_TO_ARCH,
     _SYSCALL_NR,
@@ -101,6 +103,13 @@ def test_clone_ns_flags_defined(self):
     def test_tiocsti_defined(self):
         assert TIOCSTI == 0x5412
 
+    def test_tioclinux_defined(self):
+        assert TIOCLINUX == 0x541C
+
+    def test_dangerous_ioctls_defined(self):
+        assert TIOCSTI in _DANGEROUS_IOCTLS
+        assert TIOCLINUX in _DANGEROUS_IOCTLS
+
     def test_prctl_in_syscall_map(self):
         assert "prctl" in _SYSCALL_NR