Environment:
- OS: centos8 (generic/centos8 vagrant box)
- Virtualization: VMWare-Workstation 16.1.0 build-17198959
Steps to reproduce:
- Create a devices new policy
cd /sys/fs/cgroup/devices
mkdir custom_poc
- Verify which device is being used as tty (multiple methods):
- Using tty:
[root@centos8 custom_poc]# tty /dev/pts/0 - Getting the process STDIN:
ls -l /proc/$$/fd/{0,1,2} lrwx------. 1 root root 64 Mar 5 11:25 /proc/2446/fd/0 -> /dev/pts/0 lrwx------. 1 root root 64 Mar 5 11:25 /proc/2446/fd/1 -> /dev/pts/0 lrwx------. 1 root root 64 Mar 5 11:25 /proc/2446/fd/2 -> /dev/pts/0
- Add tty device to
devices.deny:
- Check device major and minor numbers:
ls -l /dev/pts/0 crw--w----. 1 vagrant tty 136, 0 Mar 5 11:28 /dev/pts/0 - Deny access:
[root@centos8 custom_poc]# echo 'c 136:0 w' > /sys/fs/cgroup/devices/custom_poc/devices.deny [root@centos8 custom_poc]# echo $$ > tasks [root@centos8 custom_poc]# echo 'a' > /dev/pts/0 -bash: /dev/pts/0: Operation not permitted - However my bash terminal works just fine even after removing access to STDIN device, here is the ouput of a simple whoami:
[root@centos8 custom_poc]# whoami root