| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jun 2010 07:36:53 -0500 From: "Serge E. Hallyn" <serge@...lyn.com> To: Roland McGrath <roland@...hat.com> Cc: Kees Cook <kees.cook@...onical.com>, linux-kernel@...r.kernel.org, Randy Dunlap <rdunlap@...otime.net>, Andrew Morton <akpm@...ux-foundation.org>, Jiri Kosina <jkosina@...e.cz>, Dave Young <hidave.darkstar@...il.com>, Martin Schwidefsky <schwidefsky@...ibm.com>, Oleg Nesterov <oleg@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, David Howells <dhowells@...hat.com>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, "Eric W. Biederman" <ebiederm@...ssion.com>, linux-doc@...r.kernel.org Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope Quoting Roland McGrath (roland@...hat.com): > > Though, honestly, just trying to get rid of PTRACE seems like the better > > place to spend time. > > Crushing irony of telling *me* this duly noted. ;-) > I am not really sure what deeply different set of security constraints > you envision on any other kind of new debugger interface that would be > any different for the concerns you've expressed, though. > > > > I don't think "task->pid > 0" is a sort of check that is used elsewhere in > > > the kernel for this. Perhaps "task == &init_task" would be better. > > > > Is this correct for pid_ns? I thought pid 1 (regardless of NS) would have > > a NULL parent? > > Don't ask me. I just mentioned pid_ns to get those who really know about > it to feel obliged to review your code. task->pid always holds the global pid, so 0 and 1 will be the global idle and init tasks. As for this particular patch, Quoting Kees Cook (kees.cook@...onical.com): >> running state of any of their processes. For example, if one application >>(e.g. Pidgin) was compromised, it would be possible for an attacker to >>attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, >>etc) to extract additional credentials and continue to expand the scope >>of their attack without resorting to user-assisted phishing. Well that's why I like to run things like firefox, irc clients, etc each as their own userid. That also protects my ssh keys from irc client. But things like clicking urls in terminals to fire them up in a browser aren't usually hooked up right when you do that. Not that it'd be impossible to do right. Anyway, if you're going to do this (sounds like, as a tiny-lsm?), how about replacing the sysctl with a per-task flag which, once set, can't be unset? Then firefox can mark itself unable-to-ptrace (or I can do so in a wrapper before calling firefox.real), after which it cannot strace anything which isn't its descendent, but I can still strace firefox from my shell. Of course, don't bother with that change unless someone seconds the suggestion, in case ppl don't like it and ask you to change it back :) -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists