From owner-freebsd-arch@FreeBSD.ORG  Tue Dec 30 16:51:42 2014
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: arch@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1118E7EA
 for <arch@freebsd.org>; Tue, 30 Dec 2014 16:51:42 +0000 (UTC)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A5B322B61
 for <arch@freebsd.org>; Tue, 30 Dec 2014 16:51:41 +0000 (UTC)
Received: from tom.home (kostik@localhost [127.0.0.1])
 by kib.kiev.ua (8.14.9/8.14.9) with ESMTP id sBUGpa8d027433
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Tue, 30 Dec 2014 18:51:36 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.9.2 kib.kiev.ua sBUGpa8d027433
Received: (from kostik@localhost)
 by tom.home (8.14.9/8.14.9/Submit) id sBUGpa0I027432;
 Tue, 30 Dec 2014 18:51:36 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Tue, 30 Dec 2014 18:51:36 +0200
From: Konstantin Belousov <kostikbel@gmail.com>
To: Jilles Tjoelker <jilles@stack.nl>
Subject: Re: Disabling ptrace
Message-ID: <20141230165136.GK42409@kib.kiev.ua>
References: <20141230111941.GE42409@kib.kiev.ua>
 <20141230140709.GA96469@stack.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20141230140709.GA96469@stack.nl>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tom.home
Cc: arch@freebsd.org
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 16:51:42 -0000

On Tue, Dec 30, 2014 at 03:07:10PM +0100, Jilles Tjoelker wrote:
> On Tue, Dec 30, 2014 at 01:19:41PM +0200, Konstantin Belousov wrote:
> > The question about a facility to disable introspection functionality
> > (ptrace etc) for a process was asked several times. The latest query
> > made me actually code the feature. Note that other systems, e.g. Linux
> > and OSX, do have similar facilities.
> 
> > Patch is below, it provides two new procctl(2) requests.
> > PROC_TRACE_ENABLE enables or disables tracing.  It includes core
> > dumping, ptrace, ktrace, debugging sysctls and hwpmc.
> > PROC_TRACE_STATUS allows to get the tracing state.
> 
> > Most interesting question is how should disabling of trace behave
> > with regard of fork and exec. IMO, the right model is to protect
> > access to the _program_ address space, which translates to inheritance
> > of the attribute for fork, and reenabling the tracing on exec.
> 
> I agree. I imagine this will be useful for programs like ssh-agent, to
> protect their unlocked key material.
> 
> This is also what Linux provides, and it is simpler than this patch:
> prctl(PR_SET_DUMPABLE) lets a process make their issetugid() equivalent
> return true, including preventing tracing by unprivileged users. You
> could call that unification a hack.
Yes, I do not like this.  We have nice and proper p_candebug(9) KPI.

> 
> > On the other hand, I understand that some users want to inherit the
> > tracing disable on exec, so there are PROC_TRACE_SET_DISABLED and
> > PROC_TRACE_SET_DISABLED_EXEC, the later makes disable to be kept after
> > exec.
> 
> This is apparently meant to protect a whole process tree as a hardening
> measure, or instead of PROC_TRACE_SET_DISABLED if it is undesirable to
> modify the program with key material.
Agreed, it could be reinterpreted this way.  Do you suggest to change
name for PROC_TRACE_SET_DISABLED_EXEC ?  E.g. PROC_TRACE_SET_DISABLED_TREE ?

> 
> > Note that it is trivial for root on the host to circumvent the feature.
> 
> I'd prefer if root can still trace normally, without needing any hacks.
> Philosophically, FreeBSD should serve the system administrator first and
> only then the application programmer. Also, the debugging facilities may
> be needed to debug FreeBSD itself (e.g. procstat -k), not just the
> application.

This is reasonable. It seems that the only way to enable host root to
use tracing without allowing jail' roots to do the same, is to introduce
new privilege. I changed the p_candebug() chunk to the following:

	/* Denied explicitely */
	if ((p->p_flag2 & P2_NOTRACE) != 0) {
		error = priv_check(td, PRIV_DEBUG_DENIED);
		if (error != 0)
			return (error);
	}