From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: Jann Horn <jann@thejh.net>
Cc: mtk.manpages@gmail.com, Kees Cook <keescook@chromium.org>,
Linux API <linux-api@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
lkml <linux-kernel@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
James Morris <jmorris@namei.org>
Subject: Re: Review of ptrace Yama ptrace_scope description
Date: Tue, 28 Jun 2016 08:11:36 +0200 [thread overview]
Message-ID: <0017835d-c672-02fe-dab8-d1b11c100c24@gmail.com> (raw)
In-Reply-To: <20160625143006.GA24730@pc.thejh.net>
Hi Jann,
On 06/25/2016 04:30 PM, Jann Horn wrote:
> On Sat, Jun 25, 2016 at 09:30:43AM +0200, Michael Kerrisk (man-pages) wrote:
>> Hi Kees,
>>
>> So, last year, I added some documentation to ptrace(2) to describe
>> the Yama ptrace_scope file. I don't think I asked you for review
>> at the time, but in the light of other changes to the ptrace(2)
>> page, it occurred to me that it might be a good idea to ask you
>> to check the text below to see if anything is missing or could be
>> improved. Might you have a moment for that?
>>
>> /proc/sys/kernel/yama/ptrace_scope
>> On systems with the Yama Linux Security Module (LSM) installed
>> (i.e., the kernel was configured with CONFIG_SECURITY_YAMA),
>> the /proc/sys/kernel/yama/ptrace_scope file (available since
>> Linux 3.4) can be used to restrict the ability to trace a
>> process with ptrace(2) (and thus also the ability to use tools
>> such as strace(1) and gdb(1)). The goal of such restrictions
>> is to prevent attack escalation whereby a compromised process
>> can ptrace-attach to other sensitive processes (e.g., a GPG
>> agent or an SSH session) owned by the user in order to gain
>> additional credentials and thus expand the scope of the attack.
>>
>> More precisely, the Yama LSM limits two types of operations:
>>
>> * Any operation that performs a ptrace access mode
>> PTRACE_MODE_ATTACH check—for example, ptrace()
>> PTRACE_ATTACH. (See the "Ptrace access mode checking" dis‐
>> cussion above.)
>>
>> * ptrace() PTRACE_TRACEME.
>>
>> A process that has the CAP_SYS_PTRACE capability can update the
>> /proc/sys/kernel/yama/ptrace_scope file with one of the follow‐
>> ing values:
>>
>> 0 ("classic ptrace permissions")
>> No additional restrictions on operations that perform
>> PTRACE_MODE_ATTACH checks (beyond those imposed by the
>> commoncap and other LSMs).
>>
>> The use of PTRACE_TRACEME is unchanged.
>>
>> 1 ("restricted ptrace") [default value]
>> When performing an operation that requires a
>> PTRACE_MODE_ATTACH check, the calling process must have
>> a predefined relationship with the target process. By
>> default, the predefined relationship is that the target
>> process must be a child of the caller.
>>
>> A target process can employ the prctl(2) PR_SET_PTRACER
>> operation to declare a different PID that is allowed to
>> perform PTRACE_MODE_ATTACH operations on the target.
>> See the kernel source file Documentation/secu‐
>> rity/Yama.txt for further details.
>>
>> The use of PTRACE_TRACEME is unchanged.
>
> (namespaced) CAP_SYS_PTRACE is also sufficient here.
>
>
> Both here and in the "admin-only attach" case, it is IMO important to
> note that creating a user namespace effectively removes the Yama
> protection because the owner of a namespace, when accessing its
> contents from outside, is relatively capable.
>
> This means that when a process tries to use namespaces to sandbox
> itself, it inadvertently makes itself more accessible.
>
> (This could probably be worked around in the kernel, but such a
> workaround would likely not be default, but rather opt-in via a new
> flag for clone() and unshare() or so.)
Tanks for catching this!
So I've made that section of text:
A process that has the CAP_SYS_PTRACE capability can update the
/proc/sys/kernel/yama/ptrace_scope file with one of the following
values:
0 ("classic ptrace permissions")
No additional restrictions on operations that perform
PTRACE_MODE_ATTACH checks (beyond those imposed by the com‐
moncap and other LSMs).
The use of PTRACE_TRACEME is unchanged.
1 ("restricted ptrace") [default value]
When performing an operation that requires a
PTRACE_MODE_ATTACH check, the calling process must either
have the CAP_SYS_PTRACE capability in the user namespace of
the target process or it have a predefined relationship
with the target process. By default, the predefined rela‐
tionship is that the target process must be a child of the
caller.
A target process can employ the prctl(2) PR_SET_PTRACER
operation to declare a different PID that is allowed to
perform PTRACE_MODE_ATTACH operations on the target. See
the kernel source file Documentation/security/Yama.txt for
further details.
The use of PTRACE_TRACEME is unchanged.
2 ("admin-only attach")
Only processes with the CAP_SYS_PTRACE capability in the
user namespace of the target process may perform
PTRACE_MODE_ATTACH operations or trace children that employ
PTRACE_TRACEME.
3 ("no attach")
No process may perform PTRACE_MODE_ATTACH operations or
trace children that employ PTRACE_TRACEME.
Once this value has been written to the file, it cannot be
changed.
With respect to values 1 and 2, note that creating a user names‐
pace effectively removes the Yama protection, because the owner of
a namespace, when accessing its members from outside, has
CAP_SYS_PTRACE within the namespace. This means that when a
process tries to use namespaces to sandbox itself, it inadver‐
tently weakens the protections offered by the Yama LSM.
Okay?
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
next prev parent reply other threads:[~2016-06-28 6:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-25 7:30 Review of ptrace Yama ptrace_scope description Michael Kerrisk (man-pages)
[not found] ` <a80772d7-f52a-0943-de24-a0cf8d6b2f7c-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-06-25 14:30 ` Jann Horn
2016-06-28 6:11 ` Michael Kerrisk (man-pages) [this message]
[not found] ` <0017835d-c672-02fe-dab8-d1b11c100c24-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-06-28 20:50 ` Jann Horn
[not found] ` <20160628205007.GA1419-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-06-29 4:49 ` Michael Kerrisk (man-pages)
2016-06-28 20:55 ` Kees Cook
2016-06-29 5:05 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0017835d-c672-02fe-dab8-d1b11c100c24@gmail.com \
--to=mtk.manpages@gmail.com \
--cc=casey@schaufler-ca.com \
--cc=jann@thejh.net \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).