diff options
| author | Kees Cook <keescook@chromium.org> | 2012-08-09 22:01:26 -0400 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2012-08-10 05:58:07 -0400 |
| commit | 9d8dad742ad1c74d7e7210ee05d0b44961d5ea16 (patch) | |
| tree | b1e738bf17987552cdace2695d8b77328dc29bcf /Documentation/security | |
| parent | f4ba394c1b02e7fc2179fda8d3941a5b3b65efb6 (diff) | |
Yama: higher restrictions should block PTRACE_TRACEME
The higher ptrace restriction levels should be blocking even
PTRACE_TRACEME requests. The comments in the LSM documentation are
misleading about when the checks happen (the parent does not go through
security_ptrace_access_check() on a PTRACE_TRACEME call).
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org # 3.5.x and later
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'Documentation/security')
| -rw-r--r-- | Documentation/security/Yama.txt | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt index e369de2d48cd..dd908cf64ecf 100644 --- a/Documentation/security/Yama.txt +++ b/Documentation/security/Yama.txt | |||
| @@ -46,14 +46,13 @@ restrictions, it can call prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...) | |||
| 46 | so that any otherwise allowed process (even those in external pid namespaces) | 46 | so that any otherwise allowed process (even those in external pid namespaces) |
| 47 | may attach. | 47 | may attach. |
| 48 | 48 | ||
| 49 | These restrictions do not change how ptrace via PTRACE_TRACEME operates. | 49 | The sysctl settings (writable only with CAP_SYS_PTRACE) are: |
| 50 | |||
| 51 | The sysctl settings are: | ||
| 52 | 50 | ||
| 53 | 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other | 51 | 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other |
| 54 | process running under the same uid, as long as it is dumpable (i.e. | 52 | process running under the same uid, as long as it is dumpable (i.e. |
| 55 | did not transition uids, start privileged, or have called | 53 | did not transition uids, start privileged, or have called |
| 56 | prctl(PR_SET_DUMPABLE...) already). | 54 | prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is |
| 55 | unchanged. | ||
| 57 | 56 | ||
| 58 | 1 - restricted ptrace: a process must have a predefined relationship | 57 | 1 - restricted ptrace: a process must have a predefined relationship |
| 59 | with the inferior it wants to call PTRACE_ATTACH on. By default, | 58 | with the inferior it wants to call PTRACE_ATTACH on. By default, |
| @@ -61,12 +60,13 @@ The sysctl settings are: | |||
| 61 | classic criteria is also met. To change the relationship, an | 60 | classic criteria is also met. To change the relationship, an |
| 62 | inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare | 61 | inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare |
| 63 | an allowed debugger PID to call PTRACE_ATTACH on the inferior. | 62 | an allowed debugger PID to call PTRACE_ATTACH on the inferior. |
| 63 | Using PTRACE_TRACEME is unchanged. | ||
| 64 | 64 | ||
| 65 | 2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace | 65 | 2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace |
| 66 | with PTRACE_ATTACH. | 66 | with PTRACE_ATTACH, or through children calling PTRACE_TRACEME. |
| 67 | 67 | ||
| 68 | 3 - no attach: no processes may use ptrace with PTRACE_ATTACH. Once set, | 68 | 3 - no attach: no processes may use ptrace with PTRACE_ATTACH nor via |
| 69 | this sysctl cannot be changed to a lower value. | 69 | PTRACE_TRACEME. Once set, this sysctl value cannot be changed. |
| 70 | 70 | ||
| 71 | The original children-only logic was based on the restrictions in grsecurity. | 71 | The original children-only logic was based on the restrictions in grsecurity. |
| 72 | 72 | ||