SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Kees Cook
kees at ubuntu.com
Thu Apr 12 15:05:55 UTC 2012
Niels de Vos said:
> On Mon, Apr 9, 2012 at 3:38 PM, Eric Paris <eparis at redhat.com> wrote:
>> On Mon, 2012-04-09 at 00:31 +0200, Kevin Kofler wrote:
>>> It also
>>> breaks crash reporters such as DrKonqi (for DrKonqi, we work around this by
>>> disabling the flag in kde-runtime's %post script, but there are other
>>> similar debuggers in upstream software, some not packaged in Fedora)
>>
>> I ask in the bug how DrKonqi works on other distros with the YAMA
>> security module enabled which implements a slightly different semantic
>> and didn't hear a response. I have patches which I will try to get into
>> the Fedora kernel later today that will allow us to seamlessly allow gdb
>> to trace children. gdb -p would still require disabling the boolean.
>> (Think about it a moment. gdb -p is the same as firefox trying to
>> ptrace gnome-keyring)
Eric and Dan, please don't reinvent the wheel here.
>It seems that there is prctl() call to allow a specific PID (like gdb
>stared by the signal-handler of DrKonqi) to trace the calling/crached
>process. The idea comes from following the gdb discussion here:
>- http://sourceware.org/ml/gdb-patches/2012-03/msg00274.html
Please just use Yama -- it's already in the mainline kernel[1]. You
don't need to create anything new. All the crash handlers and other
tools (Firefox, Chrome, DrKonqi/KDE, and Wine) are already aware of how
to declare ptrace relationships with prctl(PR_SET_PTRACER) from when I
wrote Yama and sent patches to various upstreams. Just allowing child
process relationships isn't sufficient, which is why PR_SET_PTRACER was
created so that things like Wine could declare the entire cluster of
wine-server-spawned processes as ptraceable, etc.
Why go a totally new route when all of these problems were already solved?
Please just read through the module documentation[2] and enable it[3],
it'll make all of this just go away. You can even patch the ptrace manpage
for PTRACE_ATTACH[4] so people know where to get more details.
-Kees
[1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=security/yama;hb=HEAD
[2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD
[3] http://git.kernel.org/?p=linux/kernel/git/kees/linux.git;a=commitdiff;h=25de2d649334d53ab168eb8178e0889a3533f3c1
[4] http://manpages.ubuntu.com/ptrace
--
Kees Cook
More information about the devel
mailing list