This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] ptrace: allow restriction of ptrace scope


Kees Cook <kees.cook@canonical.com> writes:

> [...]  At present, I'm aware of global PTRACE control being possible
> in SELinux, AppArmor, grsecurity, and as a patch in Ubuntu's kernel.
> I don't know about TOMOYO or Smack, but configuring the default
> scope of PTRACE in at least 4 different ways so far (or not being
> able to change it at all) just seems crazy. [...]

For the curious, below is a demonstration an interactive systemtap
script that can implement this sort of local policy, independently of
the other security APIs.

http://sourceware.org/systemtap/examples/keyword-index.html#SECURITY

just a user         sammy sysadmin
===========         ==============

8232% echo $$
8232

                    root# noptrace.stp -x 8232 &

8232% do-stuff &
[1] 8888
                    root# cat /proc/systemtap/stap_*/blocked
                    8232 /bin/bash
                    8888 /usr/local/bin/do-stuff

8232% strace ls
strace: ptrace(PTRACE_TRACEME, ...): No such process
8232% gdb do-stuff 8888
Attaching to program: /usr/local/bin/do-stuff, process 8888
ptrace: No such process.

                    root# echo 8232 > /proc/systemtap/stap_*/unblock

8232% strace ls
[...working again...]


- FChE


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]