Date: Sat, 3 Jan 2015 17:38:18 +0000 From: "Robert N. M. Watson" <rwatson@FreeBSD.org> To: Konstantin Belousov <kostikbel@gmail.com> Cc: arch@freebsd.org Subject: Re: Disabling ptrace Message-ID: <C3D29830-F75B-4EBD-88C4-F3C51DF7AB45@FreeBSD.org> In-Reply-To: <20150103163249.GX42409@kib.kiev.ua> References: <20141230111941.GE42409@kib.kiev.ua> <alpine.BSF.2.11.1501020906300.69379@fledge.watson.org> <20150102171314.GS42409@kib.kiev.ua> <179DAA4D-3526-446C-A0A2-9F7DA137293F@FreeBSD.org> <20150103142535.GW42409@kib.kiev.ua> <20150103163249.GX42409@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3 Jan 2015, at 16:32, Konstantin Belousov <kostikbel@gmail.com> = wrote: >=20 > On Sat, Jan 03, 2015 at 04:25:35PM +0200, Konstantin Belousov wrote: >> On Sat, Jan 03, 2015 at 01:37:33PM +0000, Robert Watson wrote: >>> I???m OK with putting the flag on the process, but frequently the >>> process credential is where we stick security-related subject/object >>> flags... > Hm, credentials store the rights of the subject, related to the > credentials (am I using the correct terminology ?). While the no-trace > attribute is not rights, it is very similar to e.g. DAC or ACL on the > files, which are stored in inode. No-trace is an attribute of the > process, and by the DAC analogy, should be stored in the object which = is > protected. >=20 > In other words, we do not disallow some user to do attach with ptrace, > but mark some process as not attachable. Processes are different from most other kernels objects in that they are = both subjects and objects of operations. While subject 'credentials' in = the classic UNIX model (UIDs, GIDs, additional groups) differ from = object metadata (e.g., user/group/permissions), for other models the = same data structures are used for both the subject and object (e.g., for = most labeled MAC policies). When we do inter-process access control, the = credential of the target process is used for most aspects of protection, = just as file ownership/permissions would be, so really are its object = properties as much as its subject properties. Robert=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C3D29830-F75B-4EBD-88C4-F3C51DF7AB45>