This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: [PATCH] ptrace: allow restriction of ptrace scope
- From: fche at redhat dot com (Frank Ch. Eigler)
- To: Kees Cook <kees dot cook at canonical dot com>
- Cc: Alan Cox <alan at lxorguk dot ukuu dot org dot uk>, Randy Dunlap <rdunlap at xenotime dot net>, James Morris <jmorris at namei dot org>, linux-kernel at vger dot kernel dot org, Andrew Morton <akpm at linux-foundation dot org>, Jiri Kosina <jkosina at suse dot cz>, Dave Young <hidave dot darkstar at gmail dot com>, Martin Schwidefsky <schwidefsky at de dot ibm dot com>, Roland McGrath <roland at redhat dot com>, Oleg Nesterov <oleg at redhat dot com>, "H. Peter Anvin" <hpa at zytor dot com>, David Howells <dhowells at redhat dot com>, Ingo Molnar <mingo at elte dot hu>, Peter Zijlstra <a dot p dot zijlstra at chello dot nl>, "Eric W. Biederman" <ebiederm at xmission dot com>, linux-doc at vger dot kernel dot org, Stephen Smalley <sds at tycho dot nsa dot gov>, Daniel J Walsh <dwalsh at redhat dot com>, linux-security-module at vger dot kernel dot org, systemtap at sourceware dot org
- Date: Fri, 18 Jun 2010 23:19:53 -0400
- Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope
- References: <20100616221833.GM24749@outflux.net> <20100617000120.13071be8@lxorguk.ukuu.org.uk> <20100616232230.GP24749@outflux.net> <alpine.LRH.2.00.1006172336390.17282@tundra.namei.org> <20100617170453.GV24749@outflux.net> <20100617215349.2fac02f5@lxorguk.ukuu.org.uk> <20100617140630.c6ced27a.rdunlap@xenotime.net> <20100617221815.68ce30c5@lxorguk.ukuu.org.uk> <20100617215105.GB24749@outflux.net>
Kees Cook <kees.cook@canonical.com> writes:
> [...] At present, I'm aware of global PTRACE control being possible
> in SELinux, AppArmor, grsecurity, and as a patch in Ubuntu's kernel.
> I don't know about TOMOYO or Smack, but configuring the default
> scope of PTRACE in at least 4 different ways so far (or not being
> able to change it at all) just seems crazy. [...]
For the curious, below is a demonstration an interactive systemtap
script that can implement this sort of local policy, independently of
the other security APIs.
http://sourceware.org/systemtap/examples/keyword-index.html#SECURITY
just a user sammy sysadmin
=========== ==============
8232% echo $$
8232
root# noptrace.stp -x 8232 &
8232% do-stuff &
[1] 8888
root# cat /proc/systemtap/stap_*/blocked
8232 /bin/bash
8888 /usr/local/bin/do-stuff
8232% strace ls
strace: ptrace(PTRACE_TRACEME, ...): No such process
8232% gdb do-stuff 8888
Attaching to program: /usr/local/bin/do-stuff, process 8888
ptrace: No such process.
root# echo 8232 > /proc/systemtap/stap_*/unblock
8232% strace ls
[...working again...]
- FChE