diff options
| author | Kees Cook <keescook@chromium.org> | 2012-04-16 14:56:45 -0400 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2012-04-18 23:39:56 -0400 |
| commit | 389da25f93eea8ff64181ae7e3e87da68acaef2e (patch) | |
| tree | 09277860746b3372cbb49ea82868709cbae99ec3 /Documentation/security/Yama.txt | |
| parent | 8156b451f37898d3c3652b4e988a4d62ae16eaac (diff) | |
Yama: add additional ptrace scopes
This expands the available Yama ptrace restrictions to include two more
modes. Mode 2 requires CAP_SYS_PTRACE for PTRACE_ATTACH, and mode 3
completely disables PTRACE_ATTACH (and locks the sysctl).
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'Documentation/security/Yama.txt')
| -rw-r--r-- | Documentation/security/Yama.txt | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt index a9511f179069..e369de2d48cd 100644 --- a/Documentation/security/Yama.txt +++ b/Documentation/security/Yama.txt | |||
| @@ -34,7 +34,7 @@ parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still | |||
| 34 | work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID" | 34 | work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID" |
| 35 | still work as root). | 35 | still work as root). |
| 36 | 36 | ||
| 37 | For software that has defined application-specific relationships | 37 | In mode 1, software that has defined application-specific relationships |
| 38 | between a debugging process and its inferior (crash handlers, etc), | 38 | between a debugging process and its inferior (crash handlers, etc), |
| 39 | prctl(PR_SET_PTRACER, pid, ...) can be used. An inferior can declare which | 39 | prctl(PR_SET_PTRACER, pid, ...) can be used. An inferior can declare which |
| 40 | other process (and its descendents) are allowed to call PTRACE_ATTACH | 40 | other process (and its descendents) are allowed to call PTRACE_ATTACH |
| @@ -46,6 +46,8 @@ restrictions, it can call prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...) | |||
| 46 | so that any otherwise allowed process (even those in external pid namespaces) | 46 | so that any otherwise allowed process (even those in external pid namespaces) |
| 47 | may attach. | 47 | may attach. |
| 48 | 48 | ||
| 49 | These restrictions do not change how ptrace via PTRACE_TRACEME operates. | ||
| 50 | |||
| 49 | The sysctl settings are: | 51 | The sysctl settings are: |
| 50 | 52 | ||
| 51 | 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other | 53 | 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other |
| @@ -60,6 +62,12 @@ The sysctl settings are: | |||
| 60 | inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare | 62 | inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare |
| 61 | an allowed debugger PID to call PTRACE_ATTACH on the inferior. | 63 | an allowed debugger PID to call PTRACE_ATTACH on the inferior. |
| 62 | 64 | ||
| 65 | 2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace | ||
| 66 | with PTRACE_ATTACH. | ||
| 67 | |||
| 68 | 3 - no attach: no processes may use ptrace with PTRACE_ATTACH. Once set, | ||
| 69 | this sysctl cannot be changed to a lower value. | ||
| 70 | |||
| 63 | The original children-only logic was based on the restrictions in grsecurity. | 71 | The original children-only logic was based on the restrictions in grsecurity. |
| 64 | 72 | ||
| 65 | ============================================================== | 73 | ============================================================== |