lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100618123653.GA5427@hallyn.com>
Date:	Fri, 18 Jun 2010 07:36:53 -0500
From:	"Serge E. Hallyn" <serge@...lyn.com>
To:	Roland McGrath <roland@...hat.com>
Cc:	Kees Cook <kees.cook@...onical.com>, linux-kernel@...r.kernel.org,
	Randy Dunlap <rdunlap@...otime.net>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Jiri Kosina <jkosina@...e.cz>,
	Dave Young <hidave.darkstar@...il.com>,
	Martin Schwidefsky <schwidefsky@...ibm.com>,
	Oleg Nesterov <oleg@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	David Howells <dhowells@...hat.com>,
	Ingo Molnar <mingo@...e.hu>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	linux-doc@...r.kernel.org
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope

Quoting Roland McGrath (roland@...hat.com):
> > Though, honestly, just trying to get rid of PTRACE seems like the better
> > place to spend time.
> 
> Crushing irony of telling *me* this duly noted.  ;-)
> I am not really sure what deeply different set of security constraints
> you envision on any other kind of new debugger interface that would be
> any different for the concerns you've expressed, though.
> 
> > > I don't think "task->pid > 0" is a sort of check that is used elsewhere in
> > > the kernel for this.  Perhaps "task == &init_task" would be better.
> > 
> > Is this correct for pid_ns?  I thought pid 1 (regardless of NS) would have
> > a NULL parent?
> 
> Don't ask me.  I just mentioned pid_ns to get those who really know about
> it to feel obliged to review your code.

task->pid always holds the global pid, so 0 and 1 will be the global idle
and init tasks.

As for this particular patch,

Quoting Kees Cook (kees.cook@...onical.com):

>> running state of any of their processes. For example, if one application
>>(e.g. Pidgin) was compromised, it would be possible for an attacker to
>>attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
>>etc) to extract additional credentials and continue to expand the scope
>>of their attack without resorting to user-assisted phishing.

Well that's why I like to run things like firefox, irc clients, etc each
as their own userid.  That also protects my ssh keys from irc client.  But
things like clicking urls in terminals to fire them up in a browser
aren't usually hooked up right when you do that.  Not that it'd be
impossible to do right.

Anyway, if you're going to do this (sounds like, as a tiny-lsm?), how
about replacing the sysctl with a per-task flag which, once set,
can't be unset?  Then firefox can mark itself unable-to-ptrace (or I
can do so in a wrapper before calling firefox.real), after which it
cannot strace anything which isn't its descendent, but I can still
strace firefox from my shell.  Of course, don't bother with that
change unless someone seconds the suggestion, in case ppl don't like
it and ask you to change it back :)

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ