Merge pull request #258 from raja-grewal/legacy_tiocsti

Enable `dev.tty.legacy_tiocsti=0`

README.md

@@ -47,8 +47,7 @@ space, user space, core dumps, and swap space.
 
 - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
 
-- Provide the option to disable the use of legacy TIOCSTI operation which can be
+- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
-  used to inject keypresses.
 
 - Disable asynchronous I/O as `io_uring` has been the source
   of numerous kernel exploits (when using Linux kernel version >= 6.6).

usr/lib/sysctl.d/990-security-misc.conf

@@ -127,12 +127,14 @@ kernel.perf_event_paranoid=3
 ##
 kernel.randomize_va_space=2
 
-## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses.
+## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
-## Will break screen readers as can no longer push characters into a controlling TTY.
+## Can lead to privilege escalation by pushing characters into a controlling TTY.
-##
+## Will break out-dated screen readers that continue to rely on this legacy functionality.
 ## This is disabled by default when using Linux kernel >= 6.2.
 ##
-#dev.tty.legacy_tiocsti=0
+## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
+##
+dev.tty.legacy_tiocsti=0
 
 ## Disable asynchronous I/O for all processes.
 ## Leading cause of numerous kernel exploits.