Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 3 Jan 2015 17:38:18 +0000
From:      "Robert N. M. Watson" <rwatson@FreeBSD.org>
To:        Konstantin Belousov <kostikbel@gmail.com>
Cc:        arch@freebsd.org
Subject:   Re: Disabling ptrace
Message-ID:  <C3D29830-F75B-4EBD-88C4-F3C51DF7AB45@FreeBSD.org>
In-Reply-To: <20150103163249.GX42409@kib.kiev.ua>
References:  <20141230111941.GE42409@kib.kiev.ua> <alpine.BSF.2.11.1501020906300.69379@fledge.watson.org> <20150102171314.GS42409@kib.kiev.ua> <179DAA4D-3526-446C-A0A2-9F7DA137293F@FreeBSD.org> <20150103142535.GW42409@kib.kiev.ua> <20150103163249.GX42409@kib.kiev.ua>
index | next in thread | previous in thread | raw e-mail 

On 3 Jan 2015, at 16:32, Konstantin Belousov <kostikbel@gmail.com> wrote:
> 
> On Sat, Jan 03, 2015 at 04:25:35PM +0200, Konstantin Belousov wrote:
>> On Sat, Jan 03, 2015 at 01:37:33PM +0000, Robert Watson wrote:
>>> I???m OK with putting the flag on the process, but frequently the
>>> process credential is where we stick security-related subject/object
>>> flags...
> Hm, credentials store the rights of the subject, related to the
> credentials (am I using the correct terminology ?). While the no-trace
> attribute is not rights, it is very similar to e.g. DAC or ACL on the
> files, which are stored in inode. No-trace is an attribute of the
> process, and by the DAC analogy, should be stored in the object which is
> protected.
> 
> In other words, we do not disallow some user to do attach with ptrace,
> but mark some process as not attachable.

Processes are different from most other kernels objects in that they are both subjects and objects of operations. While subject 'credentials' in the classic UNIX model (UIDs, GIDs, additional groups) differ from object metadata (e.g., user/group/permissions), for other models the same data structures are used for both the subject and object (e.g., for most labeled MAC policies). When we do inter-process access control, the credential of the target process is used for most aspects of protection, just as file ownership/permissions would be, so really are its object properties as much as its subject properties.

Robert
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C3D29830-F75B-4EBD-88C4-F3C51DF7AB45>