From owner-freebsd-arch@FreeBSD.ORG Tue Dec 30 14:07:14 2014 Return-Path: Delivered-To: arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7344C353 for ; Tue, 30 Dec 2014 14:07:14 +0000 (UTC) Received: from mx1.stack.nl (relay04.stack.nl [IPv6:2001:610:1108:5010::107]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mailhost.stack.nl", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3ACD93ECB for ; Tue, 30 Dec 2014 14:07:14 +0000 (UTC) Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id 20AA0B8412; Tue, 30 Dec 2014 15:07:10 +0100 (CET) Received: by snail.stack.nl (Postfix, from userid 1677) id 0F06528494; Tue, 30 Dec 2014 15:07:10 +0100 (CET) Date: Tue, 30 Dec 2014 15:07:10 +0100 From: Jilles Tjoelker To: Konstantin Belousov Subject: Re: Disabling ptrace Message-ID: <20141230140709.GA96469@stack.nl> References: <20141230111941.GE42409@kib.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20141230111941.GE42409@kib.kiev.ua> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 14:07:14 -0000 On Tue, Dec 30, 2014 at 01:19:41PM +0200, Konstantin Belousov wrote: > The question about a facility to disable introspection functionality > (ptrace etc) for a process was asked several times. The latest query > made me actually code the feature. Note that other systems, e.g. Linux > and OSX, do have similar facilities. > Patch is below, it provides two new procctl(2) requests. > PROC_TRACE_ENABLE enables or disables tracing. It includes core > dumping, ptrace, ktrace, debugging sysctls and hwpmc. > PROC_TRACE_STATUS allows to get the tracing state. > Most interesting question is how should disabling of trace behave > with regard of fork and exec. IMO, the right model is to protect > access to the _program_ address space, which translates to inheritance > of the attribute for fork, and reenabling the tracing on exec. I agree. I imagine this will be useful for programs like ssh-agent, to protect their unlocked key material. This is also what Linux provides, and it is simpler than this patch: prctl(PR_SET_DUMPABLE) lets a process make their issetugid() equivalent return true, including preventing tracing by unprivileged users. You could call that unification a hack. > On the other hand, I understand that some users want to inherit the > tracing disable on exec, so there are PROC_TRACE_SET_DISABLED and > PROC_TRACE_SET_DISABLED_EXEC, the later makes disable to be kept after > exec. This is apparently meant to protect a whole process tree as a hardening measure, or instead of PROC_TRACE_SET_DISABLED if it is undesirable to modify the program with key material. > Note that it is trivial for root on the host to circumvent the feature. I'd prefer if root can still trace normally, without needing any hacks. Philosophically, FreeBSD should serve the system administrator first and only then the application programmer. Also, the debugging facilities may be needed to debug FreeBSD itself (e.g. procstat -k), not just the application. -- Jilles Tjoelker