From: Kees Cook <kees.cook@canonical.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-kernel@vger.kernel.org, Randy Dunlap <rdunlap@xenotime.net>,
Andrew Morton <akpm@linux-foundation.org>,
Jiri Kosina <jkosina@suse.cz>,
Dave Young <hidave.darkstar@gmail.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Roland McGrath <roland@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
David Howells <dhowells@redhat.com>, Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-doc@vger.kernel.org
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope
Date: Wed, 16 Jun 2010 16:22:30 -0700 [thread overview]
Message-ID: <20100616232230.GP24749@outflux.net> (raw)
In-Reply-To: <20100617000120.13071be8@lxorguk.ukuu.org.uk>
Hi Alan,
On Thu, Jun 17, 2010 at 12:01:20AM +0100, Alan Cox wrote:
> > As Linux grows in popularity, it will become a larger target for
> > malware. One particularly troubling weakness of the Linux process
> > interfaces is that a single user is able to examine the memory and
> > running state of any of their processes. For example, if one application
>
> And this will help how - or don't you care about procfs.
I'm not sure I follow this comment. Sensitive things in /proc/$PID/* are
already protected by ptrace_may_access() with mode == ATTACH.
> Other distributions do this sensibly by using things like SELinux which
> can describe the relationships in ways that matter and also arbitrate
> other access paths beyond ptrace which can be used for the same purpose.
Certainly. PTRACE can already be confined by SELinux and AppArmor. I'm
looking for a general approach that doesn't require a system builder to
create MAC policies for unknown software. I want to define a common core
behavior.
> And even if you don't care about using the same security stuff the rest
> of the world is using to solve the problem this like the other half baked
> stuff you posted for links belongs as a security module.
The LSM isn't stackable, so I can't put it there and choose this and
SELinux (for the case of software-without-a-policy).
> If you'd put it all in security/ubuntu/grsecurity or similar probably
> nobody would care too much. The hooks are there so you can do different
> things with security policy without making a mess for anyone else.
I'm not clear how this is "a mess for anyone else" when it defaults to
the classic PTRACE behavior. PTRACE itself is dangerous, so it's not
unreasonable to start inching away from it.
> So NAK. If you want to use bits of grsecurity then please just write
> yourselves a grsecurity kernel module that uses the security hooks
> properly and stop messing up the core code. It's all really quite simple,
> the infrastrucuture is there, so use it.
There is no infrastructure to selectively choose these general-purpose
features. This is why there is a sysctl. It's a global behavioral
change.
Since LSMs aren't arbitrarily stackable, asking me to move the code into
a new LSM isn't a particularly actionable suggestion.
-Kees
--
Kees Cook
Ubuntu Security Team
next prev parent reply other threads:[~2010-06-16 23:23 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-16 22:18 [PATCH] ptrace: allow restriction of ptrace scope Kees Cook
2010-06-16 23:01 ` Alan Cox
2010-06-16 23:22 ` Kees Cook [this message]
2010-06-17 13:45 ` James Morris
2010-06-17 17:04 ` Kees Cook
2010-06-17 20:53 ` Alan Cox
2010-06-17 21:06 ` Randy Dunlap
2010-06-17 21:16 ` Kees Cook
2010-06-17 22:18 ` Alan Cox
2010-06-17 22:25 ` Kees Cook
2010-06-17 22:34 ` Alan Cox
2010-06-17 21:18 ` Alan Cox
2010-06-17 21:51 ` Kees Cook
2010-06-17 22:30 ` Alan Cox
2010-06-17 23:03 ` James Morris
2010-06-18 3:10 ` Casey Schaufler
2010-06-18 10:54 ` Theodore Tso
2010-06-18 13:50 ` Eric W. Biederman
2010-06-18 14:29 ` Serge E. Hallyn
2010-06-19 2:23 ` Casey Schaufler
2010-06-19 2:49 ` Eric W. Biederman
2010-06-21 0:52 ` James Morris
2010-06-21 2:16 ` Valdis.Kletnieks
2010-06-18 17:58 ` Kees Cook
2010-06-19 2:15 ` Tetsuo Handa
2010-06-19 3:19 ` Frank Ch. Eigler
2010-06-16 23:10 ` Roland McGrath
2010-06-16 23:39 ` Kees Cook
2010-06-17 0:11 ` Roland McGrath
2010-06-17 0:46 ` Kees Cook
2010-06-18 12:36 ` Serge E. Hallyn
2010-06-17 12:29 ` Eric W. Biederman
2010-06-17 16:59 ` Kees Cook
2010-06-17 20:45 ` Eric W. Biederman
2010-06-17 21:14 ` Kees Cook
2010-06-17 22:50 ` Serge E. Hallyn
2010-06-17 23:11 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100616232230.GP24749@outflux.net \
--to=kees.cook@canonical.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=hidave.darkstar@gmail.com \
--cc=hpa@zytor.com \
--cc=jkosina@suse.cz \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=roland@redhat.com \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox