From owner-freebsd-arch@FreeBSD.ORG Sat Jan 3 17:38:21 2015 Return-Path: Delivered-To: arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 73A16D9B for ; Sat, 3 Jan 2015 17:38:21 +0000 (UTC) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id 47C1E64D26 for ; Sat, 3 Jan 2015 17:38:21 +0000 (UTC) Received: from [10.0.1.17] (host86-132-107-174.range86-132.btcentralplus.com [86.132.107.174]) by cyrus.watson.org (Postfix) with ESMTPSA id 9323846B0D; Sat, 3 Jan 2015 12:38:19 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: Disabling ptrace From: "Robert N. M. Watson" In-Reply-To: <20150103163249.GX42409@kib.kiev.ua> Date: Sat, 3 Jan 2015 17:38:18 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20141230111941.GE42409@kib.kiev.ua> <20150102171314.GS42409@kib.kiev.ua> <179DAA4D-3526-446C-A0A2-9F7DA137293F@FreeBSD.org> <20150103142535.GW42409@kib.kiev.ua> <20150103163249.GX42409@kib.kiev.ua> To: Konstantin Belousov X-Mailer: Apple Mail (2.1993) Cc: arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jan 2015 17:38:21 -0000 On 3 Jan 2015, at 16:32, Konstantin Belousov = wrote: >=20 > On Sat, Jan 03, 2015 at 04:25:35PM +0200, Konstantin Belousov wrote: >> On Sat, Jan 03, 2015 at 01:37:33PM +0000, Robert Watson wrote: >>> I???m OK with putting the flag on the process, but frequently the >>> process credential is where we stick security-related subject/object >>> flags... > Hm, credentials store the rights of the subject, related to the > credentials (am I using the correct terminology ?). While the no-trace > attribute is not rights, it is very similar to e.g. DAC or ACL on the > files, which are stored in inode. No-trace is an attribute of the > process, and by the DAC analogy, should be stored in the object which = is > protected. >=20 > In other words, we do not disallow some user to do attach with ptrace, > but mark some process as not attachable. Processes are different from most other kernels objects in that they are = both subjects and objects of operations. While subject 'credentials' in = the classic UNIX model (UIDs, GIDs, additional groups) differ from = object metadata (e.g., user/group/permissions), for other models the = same data structures are used for both the subject and object (e.g., for = most labeled MAC policies). When we do inter-process access control, the = credential of the target process is used for most aspects of protection, = just as file ownership/permissions would be, so really are its object = properties as much as its subject properties. Robert=