From owner-freebsd-arch@FreeBSD.ORG  Sat Jan  3 17:38:21 2015
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: arch@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 73A16D9B
 for <arch@freebsd.org>; Sat,  3 Jan 2015 17:38:21 +0000 (UTC)
Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69])
 by mx1.freebsd.org (Postfix) with ESMTP id 47C1E64D26
 for <arch@freebsd.org>; Sat,  3 Jan 2015 17:38:21 +0000 (UTC)
Received: from [10.0.1.17] (host86-132-107-174.range86-132.btcentralplus.com
 [86.132.107.174])
 by cyrus.watson.org (Postfix) with ESMTPSA id 9323846B0D;
 Sat,  3 Jan 2015 12:38:19 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
Subject: Re: Disabling ptrace
From: "Robert N. M. Watson" <rwatson@FreeBSD.org>
In-Reply-To: <20150103163249.GX42409@kib.kiev.ua>
Date: Sat, 3 Jan 2015 17:38:18 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3D29830-F75B-4EBD-88C4-F3C51DF7AB45@FreeBSD.org>
References: <20141230111941.GE42409@kib.kiev.ua>
 <alpine.BSF.2.11.1501020906300.69379@fledge.watson.org>
 <20150102171314.GS42409@kib.kiev.ua>
 <179DAA4D-3526-446C-A0A2-9F7DA137293F@FreeBSD.org>
 <20150103142535.GW42409@kib.kiev.ua> <20150103163249.GX42409@kib.kiev.ua>
To: Konstantin Belousov <kostikbel@gmail.com>
X-Mailer: Apple Mail (2.1993)
Cc: arch@freebsd.org
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jan 2015 17:38:21 -0000

On 3 Jan 2015, at 16:32, Konstantin Belousov <kostikbel@gmail.com> =
wrote:
>=20
> On Sat, Jan 03, 2015 at 04:25:35PM +0200, Konstantin Belousov wrote:
>> On Sat, Jan 03, 2015 at 01:37:33PM +0000, Robert Watson wrote:
>>> I???m OK with putting the flag on the process, but frequently the
>>> process credential is where we stick security-related subject/object
>>> flags...
> Hm, credentials store the rights of the subject, related to the
> credentials (am I using the correct terminology ?). While the no-trace
> attribute is not rights, it is very similar to e.g. DAC or ACL on the
> files, which are stored in inode. No-trace is an attribute of the
> process, and by the DAC analogy, should be stored in the object which =
is
> protected.
>=20
> In other words, we do not disallow some user to do attach with ptrace,
> but mark some process as not attachable.

Processes are different from most other kernels objects in that they are =
both subjects and objects of operations. While subject 'credentials' in =
the classic UNIX model (UIDs, GIDs, additional groups) differ from =
object metadata (e.g., user/group/permissions), for other models the =
same data structures are used for both the subject and object (e.g., for =
most labeled MAC policies). When we do inter-process access control, the =
credential of the target process is used for most aspects of protection, =
just as file ownership/permissions would be, so really are its object =
properties as much as its subject properties.

Robert=