From owner-freebsd-arch@FreeBSD.ORG Tue Dec 30 15:58:46 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AB3BEDFC for ; Tue, 30 Dec 2014 15:58:46 +0000 (UTC) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C1C221BD for ; Tue, 30 Dec 2014 15:58:46 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.9/8.14.9) with ESMTP id sBUFwe8S015251 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Dec 2014 17:58:40 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.9.2 kib.kiev.ua sBUFwe8S015251 Received: (from kostik@localhost) by tom.home (8.14.9/8.14.9/Submit) id sBUFwe08015250; Tue, 30 Dec 2014 17:58:40 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 30 Dec 2014 17:58:40 +0200 From: Konstantin Belousov To: Shawn Webb Subject: Re: Disabling ptrace Message-ID: <20141230155840.GI42409@kib.kiev.ua> References: <20141230111941.GE42409@kib.kiev.ua> <20141230140709.GA96469@stack.nl> <3368390.qHnOScdmzK@shawnwebb-laptop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3368390.qHnOScdmzK@shawnwebb-laptop> User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tom.home Cc: Jilles Tjoelker , freebsd-arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 15:58:46 -0000 On Tue, Dec 30, 2014 at 10:38:56AM -0500, Shawn Webb wrote: > On Tuesday, December 30, 2014 03:07:10 PM Jilles Tjoelker wrote: > > On Tue, Dec 30, 2014 at 01:19:41PM +0200, Konstantin Belousov wrote: > > > The question about a facility to disable introspection functionality > > > (ptrace etc) for a process was asked several times. The latest query > > > made me actually code the feature. Note that other systems, e.g. Linux > > > and OSX, do have similar facilities. > > > > > > Patch is below, it provides two new procctl(2) requests. > > > PROC_TRACE_ENABLE enables or disables tracing. It includes core > > > dumping, ptrace, ktrace, debugging sysctls and hwpmc. > > > PROC_TRACE_STATUS allows to get the tracing state. > > > > > > Most interesting question is how should disabling of trace behave > > > with regard of fork and exec. IMO, the right model is to protect > > > access to the _program_ address space, which translates to inheritance > > > of the attribute for fork, and reenabling the tracing on exec. > > > > I agree. I imagine this will be useful for programs like ssh-agent, to > > protect their unlocked key material. > > > > This is also what Linux provides, and it is simpler than this patch: > > prctl(PR_SET_DUMPABLE) lets a process make their issetugid() equivalent > > return true, including preventing tracing by unprivileged users. You > > could call that unification a hack. > > > > > On the other hand, I understand that some users want to inherit the > > > tracing disable on exec, so there are PROC_TRACE_SET_DISABLED and > > > PROC_TRACE_SET_DISABLED_EXEC, the later makes disable to be kept after > > > exec. > > > > This is apparently meant to protect a whole process tree as a hardening > > measure, or instead of PROC_TRACE_SET_DISABLED if it is undesirable to > > modify the program with key material. > > > > > Note that it is trivial for root on the host to circumvent the feature. > > > > I'd prefer if root can still trace normally, without needing any hacks. > > Philosophically, FreeBSD should serve the system administrator first and > > only then the application programmer. Also, the debugging facilities may > > be needed to debug FreeBSD itself (e.g. procstat -k), not just the > > application. > > It's easy even for non-root to disable or work around ptrace disabling. > LD_PRELOAD, nopping out the instructions, dtrace, etc. Note that for SUID > applications, such tricks don't work. The point is that such protections are > very easily disabled, even by non-root users for non-SUID applications. Google for 'It rather involved being on the other side of this airtight hatchway'. > > I'm curious what the use case was that brought this up. And why the requester > thinks it's actually useful. > > We at HardenedBSD have introduced a ptrace hardening patch that limits those > who can use ptrace to a certain group. We've also added hardening around > [lin]procfs. I believe those to be effective against ptrace abuse to a greater > extent. It doesn't, though, handle dtrace, something we still need to > research. > > Thanks, > > Shawn