Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935084AbZLQBY0 (ORCPT ); Wed, 16 Dec 2009 20:24:26 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1763778AbZLQBX5 (ORCPT ); Wed, 16 Dec 2009 20:23:57 -0500 Received: from lists.laptop.org ([18.85.2.145]:46252 "EHLO mail.laptop.org" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1763771AbZLQBXv (ORCPT ); Wed, 16 Dec 2009 20:23:51 -0500 Date: Wed, 16 Dec 2009 20:25:40 -0500 From: Michael Stone To: Andi Kleen Cc: Michael Stone , Ulrich Drepper , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , Bryan Donlan , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , "Eric W. Biederman" , Bernie Innocenti , Mark Seaborn Subject: Re: [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. Message-ID: <20091217012540.GA2609@heat> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20091216155938.GG15031@basil.fritz.box> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1688 Lines: 43 Andi Kleen wrote: > On Wed, Dec 16, 2009 at 10:32:43AM -0500, Michael Stone wrote: >> Daniel Bernstein has observed [1] that security-conscious userland processes >> may benefit from the ability to irrevocably remove their ability to create, >> bind, connect to, or send messages except in the case of previously >> connected sockets or AF_UNIX filesystem sockets. We provide this facility by >> implementing support for a new prctl(PR_SET_NETWORK) flag named >> PR_NETWORK_OFF. >> >> This facility is particularly attractive to security platforms like OLPC >> Bitfrost [2] and to isolation programs like Rainbow [3] and Plash [4]. > > What would stop them from ptracing someone else running under the same > uid who still has the network access? Just like in the (revised from last year) rlimits version, there's a hunk in the prctl_network semantics patch which disables networking-via-ptrace() like so: diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 23bd09c..5b38db0 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -151,6 +151,8 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) dumpable = get_dumpable(task->mm); if (!dumpable && !capable(CAP_SYS_PTRACE)) return -EPERM; + if (current->network) + return -EPERM; return security_ptrace_access_check(task, mode); } More questions? Regards, and thanks for your interest, Michael -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/