Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Jan 2015 17:38:18 +0000
From:      "Robert N. M. Watson" <rwatson@FreeBSD.org>
To:        Konstantin Belousov <kostikbel@gmail.com>
Cc:        arch@freebsd.org
Subject:   Re: Disabling ptrace
Message-ID:  <C3D29830-F75B-4EBD-88C4-F3C51DF7AB45@FreeBSD.org>
In-Reply-To: <20150103163249.GX42409@kib.kiev.ua>
References:  <20141230111941.GE42409@kib.kiev.ua> <alpine.BSF.2.11.1501020906300.69379@fledge.watson.org> <20150102171314.GS42409@kib.kiev.ua> <179DAA4D-3526-446C-A0A2-9F7DA137293F@FreeBSD.org> <20150103142535.GW42409@kib.kiev.ua> <20150103163249.GX42409@kib.kiev.ua>

next in thread | previous in thread | raw e-mail | index | archive | help
On 3 Jan 2015, at 16:32, Konstantin Belousov <kostikbel@gmail.com> =
wrote:
>=20
> On Sat, Jan 03, 2015 at 04:25:35PM +0200, Konstantin Belousov wrote:
>> On Sat, Jan 03, 2015 at 01:37:33PM +0000, Robert Watson wrote:
>>> I???m OK with putting the flag on the process, but frequently the
>>> process credential is where we stick security-related subject/object
>>> flags...
> Hm, credentials store the rights of the subject, related to the
> credentials (am I using the correct terminology ?). While the no-trace
> attribute is not rights, it is very similar to e.g. DAC or ACL on the
> files, which are stored in inode. No-trace is an attribute of the
> process, and by the DAC analogy, should be stored in the object which =
is
> protected.
>=20
> In other words, we do not disallow some user to do attach with ptrace,
> but mark some process as not attachable.

Processes are different from most other kernels objects in that they are =
both subjects and objects of operations. While subject 'credentials' in =
the classic UNIX model (UIDs, GIDs, additional groups) differ from =
object metadata (e.g., user/group/permissions), for other models the =
same data structures are used for both the subject and object (e.g., for =
most labeled MAC policies). When we do inter-process access control, the =
credential of the target process is used for most aspects of protection, =
just as file ownership/permissions would be, so really are its object =
properties as much as its subject properties.

Robert=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C3D29830-F75B-4EBD-88C4-F3C51DF7AB45>