Re: [PATCH] ptrace: allow restriction of ptrace scope
From: Frank Ch. Eigler
Date: Fri Jun 18 2010 - 23:20:48 EST
Kees Cook <kees.cook@xxxxxxxxxxxxx> writes:
> [...] At present, I'm aware of global PTRACE control being possible
> in SELinux, AppArmor, grsecurity, and as a patch in Ubuntu's kernel.
> I don't know about TOMOYO or Smack, but configuring the default
> scope of PTRACE in at least 4 different ways so far (or not being
> able to change it at all) just seems crazy. [...]
For the curious, below is a demonstration an interactive systemtap
script that can implement this sort of local policy, independently of
the other security APIs.
http://sourceware.org/systemtap/examples/keyword-index.html#SECURITY
just a user sammy sysadmin
=========== ==============
8232% echo $$
8232
root# noptrace.stp -x 8232 &
8232% do-stuff &
[1] 8888
root# cat /proc/systemtap/stap_*/blocked
8232 /bin/bash
8888 /usr/local/bin/do-stuff
8232% strace ls
strace: ptrace(PTRACE_TRACEME, ...): No such process
8232% gdb do-stuff 8888
Attaching to program: /usr/local/bin/do-stuff, process 8888
ptrace: No such process.
root# echo 8232 > /proc/systemtap/stap_*/unblock
8232% strace ls
[...working again...]
- FChE
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/