[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <874m3522sy.fsf@xmission.com>
Date: Thu, 17 Nov 2016 15:51:09 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Willy Tarreau <w@....eu>
Cc: Kees Cook <keescook@...omium.org>,
Linux Containers <containers@...ts.linux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>,
"linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-mm\@kvack.org" <linux-mm@...ck.org>,
Linux FS Devel <linux-fsdevel@...r.kernel.org>,
Michal Hocko <mhocko@...nel.org>, Jann Horn <jann@...jh.net>,
Andy Lutomirski <luto@...capital.net>
Subject: Re: [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file
Willy Tarreau <w@....eu> writes:
> On Thu, Nov 17, 2016 at 01:07:33PM -0800, Kees Cook wrote:
>> I'm not opposed to a sysctl for this. Regardless, I think we need to
>> embrace this idea now, though, since we'll soon end up with
>> architectures that enforce executable-only memory, in which case
>> ptrace will again fail. Almost better to get started here and then not
>> have more surprises later.
>
> Also that makes me realize that by far the largest use case of ptrace
> is strace and that strace needs very little capabilities. I guess that
> most users would be fine with having only pointers and not contents
> for addresses or read/write of data, as they have on some other OSes,
> when the process is not readable. But in my opinion when a process
> is executable we should be able to trace its execution (even without
> memory read access).
Given all of this I will respin this series with a replacement patch
that adds a permission check ion the path where ptrace calls
access_process_vm.
I avoided it because the patch is a bit larger and with full ptrace control
is much better at leaking information. Even if you can't read the
data. But ptrace works even if it won't give you the memory based
arguments to system calls anymore.
Eric
Powered by blists - more mailing lists