Disabling ptrace
Robert N. M. Watson
rwatson at FreeBSD.org
Sat Jan 3 17:38:21 UTC 2015
On 3 Jan 2015, at 16:32, Konstantin Belousov <kostikbel at gmail.com> wrote:
>
> On Sat, Jan 03, 2015 at 04:25:35PM +0200, Konstantin Belousov wrote:
>> On Sat, Jan 03, 2015 at 01:37:33PM +0000, Robert Watson wrote:
>>> I???m OK with putting the flag on the process, but frequently the
>>> process credential is where we stick security-related subject/object
>>> flags...
> Hm, credentials store the rights of the subject, related to the
> credentials (am I using the correct terminology ?). While the no-trace
> attribute is not rights, it is very similar to e.g. DAC or ACL on the
> files, which are stored in inode. No-trace is an attribute of the
> process, and by the DAC analogy, should be stored in the object which is
> protected.
>
> In other words, we do not disallow some user to do attach with ptrace,
> but mark some process as not attachable.
Processes are different from most other kernels objects in that they are both subjects and objects of operations. While subject 'credentials' in the classic UNIX model (UIDs, GIDs, additional groups) differ from object metadata (e.g., user/group/permissions), for other models the same data structures are used for both the subject and object (e.g., for most labeled MAC policies). When we do inter-process access control, the credential of the target process is used for most aspects of protection, just as file ownership/permissions would be, so really are its object properties as much as its subject properties.
Robert
More information about the freebsd-arch
mailing list