From: "Serge E. Hallyn" <serge@hallyn.com>
To: Roland McGrath <roland@redhat.com>
Cc: Kees Cook <kees.cook@canonical.com>,
linux-kernel@vger.kernel.org, Randy Dunlap <rdunlap@xenotime.net>,
Andrew Morton <akpm@linux-foundation.org>,
Jiri Kosina <jkosina@suse.cz>,
Dave Young <hidave.darkstar@gmail.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Oleg Nesterov <oleg@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
David Howells <dhowells@redhat.com>, Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-doc@vger.kernel.org
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope
Date: Fri, 18 Jun 2010 07:36:53 -0500 [thread overview]
Message-ID: <20100618123653.GA5427@hallyn.com> (raw)
In-Reply-To: <20100617001114.A90F5403D2@magilla.sf.frob.com>
Quoting Roland McGrath (roland@redhat.com):
> > Though, honestly, just trying to get rid of PTRACE seems like the better
> > place to spend time.
>
> Crushing irony of telling *me* this duly noted. ;-)
> I am not really sure what deeply different set of security constraints
> you envision on any other kind of new debugger interface that would be
> any different for the concerns you've expressed, though.
>
> > > I don't think "task->pid > 0" is a sort of check that is used elsewhere in
> > > the kernel for this. Perhaps "task == &init_task" would be better.
> >
> > Is this correct for pid_ns? I thought pid 1 (regardless of NS) would have
> > a NULL parent?
>
> Don't ask me. I just mentioned pid_ns to get those who really know about
> it to feel obliged to review your code.
task->pid always holds the global pid, so 0 and 1 will be the global idle
and init tasks.
As for this particular patch,
Quoting Kees Cook (kees.cook@canonical.com):
>> running state of any of their processes. For example, if one application
>>(e.g. Pidgin) was compromised, it would be possible for an attacker to
>>attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
>>etc) to extract additional credentials and continue to expand the scope
>>of their attack without resorting to user-assisted phishing.
Well that's why I like to run things like firefox, irc clients, etc each
as their own userid. That also protects my ssh keys from irc client. But
things like clicking urls in terminals to fire them up in a browser
aren't usually hooked up right when you do that. Not that it'd be
impossible to do right.
Anyway, if you're going to do this (sounds like, as a tiny-lsm?), how
about replacing the sysctl with a per-task flag which, once set,
can't be unset? Then firefox can mark itself unable-to-ptrace (or I
can do so in a wrapper before calling firefox.real), after which it
cannot strace anything which isn't its descendent, but I can still
strace firefox from my shell. Of course, don't bother with that
change unless someone seconds the suggestion, in case ppl don't like
it and ask you to change it back :)
-serge
next prev parent reply other threads:[~2010-06-18 12:36 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-16 22:18 [PATCH] ptrace: allow restriction of ptrace scope Kees Cook
2010-06-16 23:01 ` Alan Cox
2010-06-16 23:22 ` Kees Cook
2010-06-17 13:45 ` James Morris
2010-06-17 17:04 ` Kees Cook
2010-06-17 20:53 ` Alan Cox
2010-06-17 21:06 ` Randy Dunlap
2010-06-17 21:16 ` Kees Cook
2010-06-17 22:18 ` Alan Cox
2010-06-17 22:25 ` Kees Cook
2010-06-17 22:34 ` Alan Cox
2010-06-17 21:18 ` Alan Cox
2010-06-17 21:51 ` Kees Cook
2010-06-17 22:30 ` Alan Cox
2010-06-17 23:03 ` James Morris
2010-06-18 3:10 ` Casey Schaufler
2010-06-18 10:54 ` Theodore Tso
2010-06-18 13:50 ` Eric W. Biederman
2010-06-18 14:29 ` Serge E. Hallyn
2010-06-19 2:23 ` Casey Schaufler
2010-06-19 2:49 ` Eric W. Biederman
2010-06-21 0:52 ` James Morris
2010-06-21 2:16 ` Valdis.Kletnieks
2010-06-18 17:58 ` Kees Cook
2010-06-19 2:15 ` Tetsuo Handa
2010-06-19 3:19 ` Frank Ch. Eigler
2010-06-16 23:10 ` Roland McGrath
2010-06-16 23:39 ` Kees Cook
2010-06-17 0:11 ` Roland McGrath
2010-06-17 0:46 ` Kees Cook
2010-06-18 12:36 ` Serge E. Hallyn [this message]
2010-06-17 12:29 ` Eric W. Biederman
2010-06-17 16:59 ` Kees Cook
2010-06-17 20:45 ` Eric W. Biederman
2010-06-17 21:14 ` Kees Cook
2010-06-17 22:50 ` Serge E. Hallyn
2010-06-17 23:11 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100618123653.GA5427@hallyn.com \
--to=serge@hallyn.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=hidave.darkstar@gmail.com \
--cc=hpa@zytor.com \
--cc=jkosina@suse.cz \
--cc=kees.cook@canonical.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=roland@redhat.com \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox