Date: Fri, 18 Jun 2010 07:36:53 -0500
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Roland McGrath <roland@redhat.com>
Cc: Kees Cook <kees.cook@canonical.com>, linux-kernel@vger.kernel.org,
       Randy Dunlap <rdunlap@xenotime.net>,
       Andrew Morton <akpm@linux-foundation.org>,
       Jiri Kosina <jkosina@suse.cz>, Dave Young <hidave.darkstar@gmail.com>,
       Martin Schwidefsky <schwidefsky@de.ibm.com>,
       Oleg Nesterov <oleg@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
       David Howells <dhowells@redhat.com>, Ingo Molnar <mingo@elte.hu>,
       Peter Zijlstra <a.p.zijlstra@chello.nl>,
       "Eric W. Biederman" <ebiederm@xmission.com>, linux-doc@vger.kernel.org
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope
Message-ID: <20100618123653.GA5427@hallyn.com>
References: <20100616221833.GM24749@outflux.net>
 <20100616231006.34A28403D2@magilla.sf.frob.com>
 <20100616233937.GQ24749@outflux.net>
 <20100617001114.A90F5403D2@magilla.sf.frob.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20100617001114.A90F5403D2@magilla.sf.frob.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2393
Lines: 52

Quoting Roland McGrath (roland@redhat.com):
> > Though, honestly, just trying to get rid of PTRACE seems like the better
> > place to spend time.
> 
> Crushing irony of telling *me* this duly noted.  ;-)
> I am not really sure what deeply different set of security constraints
> you envision on any other kind of new debugger interface that would be
> any different for the concerns you've expressed, though.
> 
> > > I don't think "task->pid > 0" is a sort of check that is used elsewhere in
> > > the kernel for this.  Perhaps "task == &init_task" would be better.
> > 
> > Is this correct for pid_ns?  I thought pid 1 (regardless of NS) would have
> > a NULL parent?
> 
> Don't ask me.  I just mentioned pid_ns to get those who really know about
> it to feel obliged to review your code.

task->pid always holds the global pid, so 0 and 1 will be the global idle
and init tasks.

As for this particular patch,

Quoting Kees Cook (kees.cook@canonical.com):

>> running state of any of their processes. For example, if one application
>>(e.g. Pidgin) was compromised, it would be possible for an attacker to
>>attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
>>etc) to extract additional credentials and continue to expand the scope
>>of their attack without resorting to user-assisted phishing.

Well that's why I like to run things like firefox, irc clients, etc each
as their own userid.  That also protects my ssh keys from irc client.  But
things like clicking urls in terminals to fire them up in a browser
aren't usually hooked up right when you do that.  Not that it'd be
impossible to do right.

Anyway, if you're going to do this (sounds like, as a tiny-lsm?), how
about replacing the sysctl with a per-task flag which, once set,
can't be unset?  Then firefox can mark itself unable-to-ptrace (or I
can do so in a wrapper before calling firefox.real), after which it
cannot strace anything which isn't its descendent, but I can still
strace firefox from my shell.  Of course, don't bother with that
change unless someone seconds the suggestion, in case ppl don't like
it and ask you to change it back :)

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/