Re: Review of ptrace Yama ptrace_scope description

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 27, 2016 at 11:11 PM, Michael Kerrisk (man-pages)
<mtk.manpages@xxxxxxxxx> wrote:
> Hi Jann,
>
>
> On 06/25/2016 04:30 PM, Jann Horn wrote:
>>
>> On Sat, Jun 25, 2016 at 09:30:43AM +0200, Michael Kerrisk (man-pages)
>> wrote:
>>>
>>> Hi Kees,
>>>
>>> So, last year, I added some documentation to ptrace(2) to describe
>>> the Yama ptrace_scope file. I don't think I asked you for review
>>> at the time, but in the light of other changes to the ptrace(2)
>>> page, it occurred to me that it might be a good idea to ask you
>>> to check the text below to see if anything is missing or could be
>>> improved. Might you have a moment for that?
>>>
>>>    /proc/sys/kernel/yama/ptrace_scope
>>>        On systems with the Yama Linux Security Module (LSM)  installed
>>>        (i.e.,  the  kernel  was configured with CONFIG_SECURITY_YAMA),
>>>        the /proc/sys/kernel/yama/ptrace_scope  file  (available  since
>>>        Linux  3.4)  can  be  used  to  restrict the ability to trace a
>>>        process with ptrace(2) (and thus also the ability to use  tools
>>>        such  as  strace(1) and gdb(1)).  The goal of such restrictions
>>>        is to prevent attack escalation whereby a  compromised  process
>>>        can  ptrace-attach  to  other  sensitive processes (e.g., a GPG
>>>        agent or an SSH session) owned by the user  in  order  to  gain
>>>        additional credentials and thus expand the scope of the attack.

Maybe clarify "additional credentials that may exist in memory only and thus..."

>>>
>>>        More precisely, the Yama LSM limits two types of operations:
>>>
>>>        *  Any   operation   that   performs   a   ptrace  access  mode
>>>           PTRACE_MODE_ATTACH     check—for      example,      ptrace()
>>>           PTRACE_ATTACH.   (See the "Ptrace access mode checking" dis‐
>>>           cussion above.)
>>>
>>>        *  ptrace() PTRACE_TRACEME.
>>>
>>>        A process that has the CAP_SYS_PTRACE capability can update the
>>>        /proc/sys/kernel/yama/ptrace_scope file with one of the follow‐
>>>        ing values:
>>>
>>>        0 ("classic ptrace permissions")
>>>               No additional restrictions on  operations  that  perform
>>>               PTRACE_MODE_ATTACH  checks  (beyond those imposed by the
>>>               commoncap and other LSMs).
>>>
>>>               The use of PTRACE_TRACEME is unchanged.
>>>
>>>        1 ("restricted ptrace") [default value]
>>>               When   performing   an   operation   that   requires   a
>>>               PTRACE_MODE_ATTACH  check, the calling process must have
>>>               a predefined relationship with the target  process.   By
>>>               default,  the predefined relationship is that the target
>>>               process must be a child of the caller.
>>>
>>>               A target process can employ the prctl(2)  PR_SET_PTRACER
>>>               operation  to declare a different PID that is allowed to
>>>               perform PTRACE_MODE_ATTACH  operations  on  the  target.
>>>               See   the   kernel   source   file   Documentation/secu‐
>>>               rity/Yama.txt for further details.
>>>
>>>               The use of PTRACE_TRACEME is unchanged.
>>
>>
>> (namespaced) CAP_SYS_PTRACE is also sufficient here.
>>
>>
>> Both here and in the "admin-only attach" case, it is IMO important to
>> note that creating a user namespace effectively removes the Yama
>> protection because the owner of a namespace, when accessing its
>> contents from outside, is relatively capable.
>>
>> This means that when a process tries to use namespaces to sandbox
>> itself, it inadvertently makes itself more accessible.
>>
>> (This could probably be worked around in the kernel, but such a
>> workaround would likely not be default, but rather opt-in via a new
>> flag for clone() and unshare() or so.)
>
>
> Tanks for catching this!
>
> So I've made that section of text:
>
>        A  process  that  has the CAP_SYS_PTRACE capability can update the
>        /proc/sys/kernel/yama/ptrace_scope file with one of the  following
>        values:
>
>        0 ("classic ptrace permissions")
>               No  additional  restrictions  on  operations  that  perform
>               PTRACE_MODE_ATTACH checks (beyond those imposed by the com‐
>               moncap and other LSMs).
>
>               The use of PTRACE_TRACEME is unchanged.
>
>        1 ("restricted ptrace") [default value]
>               When    performing    an    operation   that   requires   a
>               PTRACE_MODE_ATTACH check, the calling process  must  either
>               have the CAP_SYS_PTRACE capability in the user namespace of
>               the target process or it  have  a  predefined  relationship
>               with  the target process.  By default, the predefined rela‐
>               tionship is that the target process must be a child of  the
>               caller.

More accurately, must be a descendant of the caller (grand child is fine, etc).

>
>               A  target  process  can  employ the prctl(2) PR_SET_PTRACER
>               operation to declare a different PID  that  is  allowed  to
>               perform  PTRACE_MODE_ATTACH  operations on the target.  See
>               the kernel source file Documentation/security/Yama.txt  for
>               further details.

I would say "additional" pid to perform... since its ancestors can
still ptrace it too.

>
>               The use of PTRACE_TRACEME is unchanged.
>
>        2 ("admin-only attach")
>               Only  processes  with  the CAP_SYS_PTRACE capability in the
>               user  namespace  of  the   target   process   may   perform
>               PTRACE_MODE_ATTACH operations or trace children that employ
>               PTRACE_TRACEME.
>
>        3 ("no attach")
>               No process may  perform  PTRACE_MODE_ATTACH  operations  or
>               trace children that employ PTRACE_TRACEME.
>
>               Once  this value has been written to the file, it cannot be
>               changed.
>
>        With respect to values 1 and 2, note that creating a  user  names‐
>        pace effectively removes the Yama protection, because the owner of
>        a  namespace,  when  accessing  its  members  from  outside,   has
>        CAP_SYS_PTRACE  within  the  namespace.   This  means  that when a
>        process tries to use namespaces to  sandbox  itself,  it  inadver‐
>        tently weakens the protections offered by the Yama LSM.

Perhaps clarify "has CAP_SYS_PTRACE within all its namespaces, so the
ancestry rule is bypassed"?

>
>
> Okay?

Otherwise it looks great, thanks for writing it up!

-Kees

>
>
> Cheers,
>
> Michael
>
>
> --
> Michael Kerrisk
> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> Linux/UNIX System Programming Training: http://man7.org/training/



-- 
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux