2017-02-12 07:34:06

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH] deny_ptrace

https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/roles/sysadm.te#L10

Refpolicy already has this but reversed. Refpolicy prefers to ship with all
booleans disabled so it's allow_ptrace instead of deny_ptrace.

Adding more places is probably good tho if they're missing then you can
drop anything custom in Debian's packages

On 12 Feb 2017 15:17, "Russell Coker via refpolicy" <
[email protected]> wrote:

The below patch is something that I think came from Fedora when I merged
their
systemd policy. It's not complete (would need to have lots more ifdefs) and
would probably take more work to get it complete (as programs that call ps
are often flagged as needing ptrace access).

Is this something that's worth continuing with or should I just drop it to
get closer to upstream?


diff -ru /home/rjc/src/pol-git/policy/global_tunables
/tmp/pol-git/policy/global_tunables
--- /home/rjc/src/pol-git/policy/global_tunables 2016-08-03
10:37:38.704348215 +1000
+++ /tmp/pol-git/policy/global_tunables 2017-02-12 18:13:03.584953597 +1100
@@ -6,6 +6,13 @@

## <desc>
## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(deny_ptrace, false)
+
+## <desc>
+## <p>
## Allow unconfined executables to make their heap memory executable.
Doing this is a really bad idea. Probably indicates a badly coded
executable, but could indicate an attack. This executable should be
reported in bugzilla
## </p>
## </desc>
diff -ru /home/rjc/src/pol-git/policy/modules/system/init.if
/tmp/pol-git/policy/modules/system/init.if
--- /home/rjc/src/pol-git/policy/modules/system/init.if 2017-02-09
12:14:04.820887209 +1100
+++ /tmp/pol-git/policy/modules/system/init.if 2017-02-12
18:13:03.584953597 +1100
@@ -1504,7 +1504,9 @@
type init_t;
')

- allow $1 init_t:process ptrace;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 init_t:process ptrace;
+ ')
')

########################################
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170212/de328fe2/attachment.html


2017-02-12 08:54:42

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] deny_ptrace

On Sunday, 12 February 2017 3:34:06 PM AEDT Jason Zaman via refpolicy wrote:
> https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/rol
> es/sysadm.te#L10
>
> Refpolicy already has this but reversed. Refpolicy prefers to ship with all
> booleans disabled so it's allow_ptrace instead of deny_ptrace.
>
> Adding more places is probably good tho if they're missing then you can
> drop anything custom in Debian's packages

Thanks for the quick response. I've dropped that patch from Debian, I'll look
into extending allow_ptrace later.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/