| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080519224204.GL30402@sequoia.sous-sol.org> Date: Mon, 19 May 2008 15:42:04 -0700 From: Chris Wright <chrisw@...s-sol.org> To: Stephen Smalley <sds@...ho.nsa.gov> Cc: James Morris <jmorris@...ei.org>, lsm <linux-security-module@...r.kernel.org>, lkml <linux-kernel@...r.kernel.org>, Chris Wright <chrisw@...s-sol.org>, Eric Paris <eparis@...isplace.org>, Casey Schaufler <casey@...aufler-ca.com>, "Serge E. Hallyn" <serue@...ibm.com> Subject: Re: [PATCH] security: split proc ptrace checking into read vs. attach * Stephen Smalley (sds@...ho.nsa.gov) wrote: > Enable security modules to distinguish reading of process state via > proc from full ptrace access by renaming ptrace_may_attach to > ptrace_may_access and adding a mode argument indicating whether only > read access or full attach access is requested. This allows security > modules to permit access to reading process state without granting > full ptrace access. The base DAC/capability checking remains unchanged. > > Read access to /proc/pid/mem continues to apply a full ptrace attach > check since check_mem_permission() already requires the current task > to already be ptracing the target. The other ptrace checks within > proc for elements like environ, maps, and fds are changed to pass the > read mode instead of attach. > > In the SELinux case, we model such reading of process state as a > reading of a proc file labeled with the target process' label. This > enables SELinux policy to permit such reading of process state without > permitting control or manipulation of the target process, as there are > a number of cases where programs probe for such information via proc > but do not need to be able to control the target (e.g. procps, > lsof, PolicyKit, ConsoleKit). At present we have to choose between > allowing full ptrace in policy (more permissive than required/desired) > or breaking functionality (or in some cases just silencing the denials > via dontaudit rules but this can hide genuine attacks). > > This version of the patch incorporates comments from Casey Schaufler > (change/replace existing ptrace_may_attach interface, pass access > mode), and Chris Wright (provide greater consistency in the checking). > > Note that like their predecessors __ptrace_may_attach and > ptrace_may_attach, the __ptrace_may_access and ptrace_may_access > interfaces use different return value conventions from each other (0 > or -errno vs. 1 or 0). I retained this difference to avoid any > changes to the caller logic but made the difference clearer by > changing the latter interface to return a bool rather than an int and > by adding a comment about it to ptrace.h for any future callers. > > Signed-off-by: Stephen Smalley <sds@...ho.nsa.gov> Acked-by: Chris Wright <chrisw@...s-sol.org> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists