Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Dec 2014 10:38:56 -0500
From:      Shawn Webb <lattera@gmail.com>
To:        freebsd-arch@freebsd.org
Cc:        Konstantin Belousov <kostikbel@gmail.com>, Jilles Tjoelker <jilles@stack.nl>
Subject:   Re: Disabling ptrace
Message-ID:  <3368390.qHnOScdmzK@shawnwebb-laptop>
In-Reply-To: <20141230140709.GA96469@stack.nl>
References:  <20141230111941.GE42409@kib.kiev.ua> <20141230140709.GA96469@stack.nl>

next in thread | previous in thread | raw e-mail | index | archive | help

--nextPart12681731.czNAJhFhVz
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

On Tuesday, December 30, 2014 03:07:10 PM Jilles Tjoelker wrote:
> On Tue, Dec 30, 2014 at 01:19:41PM +0200, Konstantin Belousov wrote:
> > The question about a facility to disable introspection functionality
> > (ptrace etc) for a process was asked several times. The latest query
> > made me actually code the feature. Note that other systems, e.g. Linux
> > and OSX, do have similar facilities.
> > 
> > Patch is below, it provides two new procctl(2) requests.
> > PROC_TRACE_ENABLE enables or disables tracing.  It includes core
> > dumping, ptrace, ktrace, debugging sysctls and hwpmc.
> > PROC_TRACE_STATUS allows to get the tracing state.
> > 
> > Most interesting question is how should disabling of trace behave
> > with regard of fork and exec. IMO, the right model is to protect
> > access to the _program_ address space, which translates to inheritance
> > of the attribute for fork, and reenabling the tracing on exec.
> 
> I agree. I imagine this will be useful for programs like ssh-agent, to
> protect their unlocked key material.
> 
> This is also what Linux provides, and it is simpler than this patch:
> prctl(PR_SET_DUMPABLE) lets a process make their issetugid() equivalent
> return true, including preventing tracing by unprivileged users. You
> could call that unification a hack.
> 
> > On the other hand, I understand that some users want to inherit the
> > tracing disable on exec, so there are PROC_TRACE_SET_DISABLED and
> > PROC_TRACE_SET_DISABLED_EXEC, the later makes disable to be kept after
> > exec.
> 
> This is apparently meant to protect a whole process tree as a hardening
> measure, or instead of PROC_TRACE_SET_DISABLED if it is undesirable to
> modify the program with key material.
> 
> > Note that it is trivial for root on the host to circumvent the feature.
> 
> I'd prefer if root can still trace normally, without needing any hacks.
> Philosophically, FreeBSD should serve the system administrator first and
> only then the application programmer. Also, the debugging facilities may
> be needed to debug FreeBSD itself (e.g. procstat -k), not just the
> application.

It's easy even for non-root to disable or work around ptrace disabling. 
LD_PRELOAD, nopping out the instructions, dtrace, etc. Note that for SUID 
applications, such tricks don't work. The point is that such protections are 
very easily disabled, even by non-root users for non-SUID applications.

I'm curious what the use case was that brought this up. And why the requester 
thinks it's actually useful.

We at HardenedBSD have introduced a ptrace hardening patch that limits those 
who can use ptrace to a certain group. We've also added hardening around 
[lin]procfs. I believe those to be effective against ptrace abuse to a greater 
extent. It doesn't, though, handle dtrace, something we still need to 
research.

Thanks,

Shawn
--nextPart12681731.czNAJhFhVz
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJUoscQAAoJEGqEZY9SRW7ukGAP/AqEpfrkmjxZCjykuTs66Nxx
CvSKtToVU3Rh3ymcS0QrOZAp8DlDFkFl00ZY+5/hdvEpLeMQ02yRiPikzbEpTjQ9
fcsPW2pRRR5GLwPWBxfeXPE5KfIxN8f22lFbCO4Xaf9PIUR4jzxwM9JpvjO3ZtJB
zwfTinR3PsOnYf5zvROp/QmdYgjbI1BXft9Yhwyn6MblIG7WL2HfWYO6NpDOz1R/
KyUlw/GI+KNyXSIwhe9zm+eD/ASx1rlh5vQyZlyDevGSJdgCgpbwylPE2rjp+ikx
YrVMZhEgUSTOia/cOQoq6QsLJiq0FU/YQZgPg39OcyA2YS9t/u+Di0Ut2/AJ7qtv
TqxYq7ylr+QDIfreYqJwPzMQBnFPY67cReDq2P5m2jgychvmWmYqK5SbW+SPm740
NSlGg/wbpfVbJ84hxXIz+KTpcftzxheuatFDVW38FBsxAIjz40OGoWafA6jdtAH1
Xj/lLW2OjJMm+hVgFOFmJjlFJIcDifKq6SPyH/Gi00ZUlQGukmqsj/TzLbVa/WPX
0Omcfye9yTFAafMZqszlrS8i5qU8pf0dVUQy6Po46W14CqZKa7YVhFTP7R5W0ZOS
gk53U6itNTURFlXixblMMYLgCdpkoTREVWO9iUl4pKbPIdpggXkCFg+LRgutJgkI
cTa1vQdKG4sgLiS6UbV3
=VgnI
-----END PGP SIGNATURE-----

--nextPart12681731.czNAJhFhVz--




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3368390.qHnOScdmzK>