Re: [PATCH 0/2] Yama: add PTRACE exception tracking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees.cook@canonical.com>
To: James Morris <jmorris@namei.org>
Cc: Christoph Hellwig <hch@infradead.org>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/2] Yama: add PTRACE exception tracking
Date: Wed, 30 Jun 2010 21:44:01 -0700	[thread overview]
Message-ID: <20100701044401.GY4837@outflux.net> (raw)
In-Reply-To: <alpine.LRH.2.00.1007011057520.24202@tundra.namei.org>

Hi James,

On Thu, Jul 01, 2010 at 11:39:01AM +1000, James Morris wrote:
> On Wed, 30 Jun 2010, Christoph Hellwig wrote:
> > Err, no.  This is just a very clear sign that your ptrace restrictions
> > were completely wrong to start with and break applications left, right
> > and center.  Just get rid of it instead of letting workarounds for your
> > bad design creep into the core kernel and applications.
> 
> Indeed, I wasn't aware that there were further aspects to this -- I 
> thought it was a relatively simple case of restricting a problematic OS 
> feature for heavily locked down systems.

That's certainly my intent, but PTRACE is kind of a nasty beast.

> This is getting more complicated, with fine-grained security policy now 
> being introduced, also with the need to modify applications.

Well, I'm trying to solve what I think is a core problem with PTRACE -- it
is too permissive.  I'm happy to look at it from other angles if it doesn't
make sense for this kind of thing to live in Yama.  I'm already very happy
with the existing restrictions available in Yama.

> There are several existing LSMs with the ability to control ptrace, but as 
> part of a system-wide, coherent, analyzable policy -- often in support of 
> specific security models for which there is concrete user demand and 
> benefit.

Sure.  I am curious, though, is there a way for SELinux (or maybe Smack,
since it has more dynamic labels) to declare this kind of on-runtime PTRACE
relationship?  Maybe I overlooked some options for this.  I didn't see any
way for the kernel to intuit the relationship without the tracee
specifically declaring which process could PTRACE it, though.  Regardless
of the method, I think userspace changes would be needed for this kind of
thing.  I spent a little time discussing this within Ubuntu[1].

> If LSMs need to call into common code in Yama, or even do lightweight 
> chaining, that's one thing, but for Yama to evolve into yet another 
> standalone security scheme, is something entirely different.

I still think simple chaining is the way to go.  I want to review the
earlier discussions first (I think Serge said it was in 2004ish?) before I
write up anything.  There is, I think, one sticking point, which is
/proc/self/attr/current, but beyond that, I think some simple
reorganization of LSM initialization routines and a list that security_*
walks would be sufficient.

Thanks,

-Kees

[1] https://lists.ubuntu.com/archives/ubuntu-devel/2010-June/030939.html

-- 
Kees Cook
Ubuntu Security Team

next prev parent reply	other threads:[~2010-07-01  4:44 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-30  0:38 [PATCH 0/2] Yama: add PTRACE exception tracking Kees Cook
2010-06-30  0:39 ` [PATCH 1/2] security: create task_free security callback Kees Cook
2010-06-30  0:40 ` [PATCH 2/2] Yama: add PTRACE exception tracking Kees Cook
2010-06-30  1:09   ` Tetsuo Handa
2010-06-30  3:51     ` Kees Cook
2010-06-30  3:56   ` Serge E. Hallyn
2010-06-30  5:27     ` Kees Cook
2010-06-30 12:40       ` Serge E. Hallyn
2010-06-30 15:41   ` Eric Paris
2010-06-30 15:53     ` Kees Cook
2010-06-30 21:39       ` Tetsuo Handa
2010-06-30  7:31 ` [PATCH 0/2] " Christoph Hellwig
2010-06-30 15:45   ` Kees Cook
2010-07-01  1:39   ` James Morris
2010-07-01  4:44     ` Kees Cook [this message]
2010-07-01 13:20       ` Serge E. Hallyn
2010-07-01 15:22         ` Stephen Smalley
2010-07-01 17:16         ` Kees Cook
2010-07-01 19:41           ` Serge E. Hallyn
2010-07-01 19:57             ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100701044401.GY4837@outflux.net \
    --to=kees.cook@canonical.com \
    --cc=hch@infradead.org \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.