Date: Tue, 30 Dec 2014 10:38:56 -0500 From: Shawn Webb <lattera@gmail.com> To: freebsd-arch@freebsd.org Cc: Konstantin Belousov <kostikbel@gmail.com>, Jilles Tjoelker <jilles@stack.nl> Subject: Re: Disabling ptrace Message-ID: <3368390.qHnOScdmzK@shawnwebb-laptop> In-Reply-To: <20141230140709.GA96469@stack.nl> References: <20141230111941.GE42409@kib.kiev.ua> <20141230140709.GA96469@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart12681731.czNAJhFhVz Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Tuesday, December 30, 2014 03:07:10 PM Jilles Tjoelker wrote: > On Tue, Dec 30, 2014 at 01:19:41PM +0200, Konstantin Belousov wrote: > > The question about a facility to disable introspection functionality > > (ptrace etc) for a process was asked several times. The latest query > > made me actually code the feature. Note that other systems, e.g. Linux > > and OSX, do have similar facilities. > > > > Patch is below, it provides two new procctl(2) requests. > > PROC_TRACE_ENABLE enables or disables tracing. It includes core > > dumping, ptrace, ktrace, debugging sysctls and hwpmc. > > PROC_TRACE_STATUS allows to get the tracing state. > > > > Most interesting question is how should disabling of trace behave > > with regard of fork and exec. IMO, the right model is to protect > > access to the _program_ address space, which translates to inheritance > > of the attribute for fork, and reenabling the tracing on exec. > > I agree. I imagine this will be useful for programs like ssh-agent, to > protect their unlocked key material. > > This is also what Linux provides, and it is simpler than this patch: > prctl(PR_SET_DUMPABLE) lets a process make their issetugid() equivalent > return true, including preventing tracing by unprivileged users. You > could call that unification a hack. > > > On the other hand, I understand that some users want to inherit the > > tracing disable on exec, so there are PROC_TRACE_SET_DISABLED and > > PROC_TRACE_SET_DISABLED_EXEC, the later makes disable to be kept after > > exec. > > This is apparently meant to protect a whole process tree as a hardening > measure, or instead of PROC_TRACE_SET_DISABLED if it is undesirable to > modify the program with key material. > > > Note that it is trivial for root on the host to circumvent the feature. > > I'd prefer if root can still trace normally, without needing any hacks. > Philosophically, FreeBSD should serve the system administrator first and > only then the application programmer. Also, the debugging facilities may > be needed to debug FreeBSD itself (e.g. procstat -k), not just the > application. It's easy even for non-root to disable or work around ptrace disabling. LD_PRELOAD, nopping out the instructions, dtrace, etc. Note that for SUID applications, such tricks don't work. The point is that such protections are very easily disabled, even by non-root users for non-SUID applications. I'm curious what the use case was that brought this up. And why the requester thinks it's actually useful. We at HardenedBSD have introduced a ptrace hardening patch that limits those who can use ptrace to a certain group. We've also added hardening around [lin]procfs. I believe those to be effective against ptrace abuse to a greater extent. It doesn't, though, handle dtrace, something we still need to research. Thanks, Shawn --nextPart12681731.czNAJhFhVz Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJUoscQAAoJEGqEZY9SRW7ukGAP/AqEpfrkmjxZCjykuTs66Nxx CvSKtToVU3Rh3ymcS0QrOZAp8DlDFkFl00ZY+5/hdvEpLeMQ02yRiPikzbEpTjQ9 fcsPW2pRRR5GLwPWBxfeXPE5KfIxN8f22lFbCO4Xaf9PIUR4jzxwM9JpvjO3ZtJB zwfTinR3PsOnYf5zvROp/QmdYgjbI1BXft9Yhwyn6MblIG7WL2HfWYO6NpDOz1R/ KyUlw/GI+KNyXSIwhe9zm+eD/ASx1rlh5vQyZlyDevGSJdgCgpbwylPE2rjp+ikx YrVMZhEgUSTOia/cOQoq6QsLJiq0FU/YQZgPg39OcyA2YS9t/u+Di0Ut2/AJ7qtv TqxYq7ylr+QDIfreYqJwPzMQBnFPY67cReDq2P5m2jgychvmWmYqK5SbW+SPm740 NSlGg/wbpfVbJ84hxXIz+KTpcftzxheuatFDVW38FBsxAIjz40OGoWafA6jdtAH1 Xj/lLW2OjJMm+hVgFOFmJjlFJIcDifKq6SPyH/Gi00ZUlQGukmqsj/TzLbVa/WPX 0Omcfye9yTFAafMZqszlrS8i5qU8pf0dVUQy6Po46W14CqZKa7YVhFTP7R5W0ZOS gk53U6itNTURFlXixblMMYLgCdpkoTREVWO9iUl4pKbPIdpggXkCFg+LRgutJgkI cTa1vQdKG4sgLiS6UbV3 =VgnI -----END PGP SIGNATURE----- --nextPart12681731.czNAJhFhVz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3368390.qHnOScdmzK>