ptrace: allow restriction of ptrace scope
in [Kernel]
|
From: Serge E. Hallyn on 18 Jun 2010 08:40 Quoting Roland McGrath (roland(a)redhat.com): > > Though, honestly, just trying to get rid of PTRACE seems like the better > > place to spend time. > > Crushing irony of telling *me* this duly noted. ;-) > I am not really sure what deeply different set of security constraints > you envision on any other kind of new debugger interface that would be > any different for the concerns you've expressed, though. > > > > I don't think "task->pid > 0" is a sort of check that is used elsewhere in > > > the kernel for this. Perhaps "task == &init_task" would be better. > > > > Is this correct for pid_ns? I thought pid 1 (regardless of NS) would have > > a NULL parent? > > Don't ask me. I just mentioned pid_ns to get those who really know about > it to feel obliged to review your code. task->pid always holds the global pid, so 0 and 1 will be the global idle and init tasks. As for this particular patch, Quoting Kees Cook (kees.cook(a)canonical.com): >> running state of any of their processes. For example, if one application >>(e.g. Pidgin) was compromised, it would be possible for an attacker to >>attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, >>etc) to extract additional credentials and continue to expand the scope >>of their attack without resorting to user-assisted phishing. Well that's why I like to run things like firefox, irc clients, etc each as their own userid. That also protects my ssh keys from irc client. But things like clicking urls in terminals to fire them up in a browser aren't usually hooked up right when you do that. Not that it'd be impossible to do right. Anyway, if you're going to do this (sounds like, as a tiny-lsm?), how about replacing the sysctl with a per-task flag which, once set, can't be unset? Then firefox can mark itself unable-to-ptrace (or I can do so in a wrapper before calling firefox.real), after which it cannot strace anything which isn't its descendent, but I can still strace firefox from my shell. Of course, don't bother with that change unless someone seconds the suggestion, in case ppl don't like it and ask you to change it back :) -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Eric W. Biederman on 18 Jun 2010 10:00 Theodore Tso <tytso(a)MIT.EDU> writes: > i think we really need to have stacked LSM's, because there is a large set > of people who will never use SELinux. Every few years, I take another > look at SELinux, my head explodes with the (IMHO unneeded complexity), > and I go away again... > > Yet I would really like a number of features such as this ptrace scope idea --- > which I think is a useful feature, and it may be that stacking is the only > way we can resolve this debate. The SELinux people will never believe that > their system is too complicated, and I don't like using things that are impossible > for me to understand or configure, and that doesn't seem likely to change anytime > in the near future. > > I mean, even IPSEC RFC's are easier for me to understand, and that's saying > a lot... If anyone is going to work on this let me make a concrete suggestion. Let's aim at not stacked lsm's but chained lsm's, and put the chaining logic in the lsm core. The core difficulty appears to be how do you multiplex the security pointers on various objects out there. My wishlist has this working so that I can logically have a local security policy in a container, restricted by the global policy but with additional restrictions. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Serge E. Hallyn on 18 Jun 2010 10:30 Quoting Eric W. Biederman (ebiederm(a)xmission.com): > Theodore Tso <tytso(a)MIT.EDU> writes: > > > i think we really need to have stacked LSM's, because there is a large set > > of people who will never use SELinux. Every few years, I take another > > look at SELinux, my head explodes with the (IMHO unneeded complexity), > > and I go away again... > > > > Yet I would really like a number of features such as this ptrace scope idea --- > > which I think is a useful feature, and it may be that stacking is the only > > way we can resolve this debate. The SELinux people will never believe that > > their system is too complicated, and I don't like using things that are impossible > > for me to understand or configure, and that doesn't seem likely to change anytime > > in the near future. > > > > I mean, even IPSEC RFC's are easier for me to understand, and that's saying > > a lot... > > > If anyone is going to work on this let me make a concrete suggestion. > Let's aim at not stacked lsm's but chained lsm's, and put the chaining > logic in the lsm core. > > The core difficulty appears to be how do you multiplex the security pointers > on various objects out there. Here ya go, chaining for lsm security pointers: http://lists.jammed.com/linux-security-module/2004/11/ http://lwn.net/Articles/114588/ :) > My wishlist has this working so that I can logically have a local security > policy in a container, restricted by the global policy but with additional > restrictions. At the upcoming linux security summit[1], colocated with linuxcon, Kees is going to be doing a talk 'widely used but out of tree', where presumably the topic of stacking LSMs will come back up. If we were going to seriously consider stacking LSMs again, I'd want to dig through archives to produce a precise list of previous issues, so we can build on that to try and design something which might work. So I guess I'm suggesting a beer BOF for the evening or next day for discussing design in more detail. The general answer tends to be "generic stacking doesn't work, LSMs need to know about each other." But even for that (as evidenced by the selinux+commoncap experience with stacking) is hairy, and more to the point it probably does not scale when we have 5-10 small LSMs. I.e. LSM 1 wants to prevent some action while LSM 2 requires that action to succeed so that it can properly prevent another action. Concrete examples are buried in the stacker discussions on the lsm list from 2004-2005. Mind you, I'm not interested in doing a stacking patchset myself again, would prefer to spend my time on user namespaces. I'm not even sure which side of the stacking-vs-nostacking fence I'll be on, except that I always prefer to discuss based on experience with real code than pie-in-the-skie arguments, so would encourage patches. I do suspect once we better understand user namespaces we may have want for fewer little LSMs. So someone else can have all the fun to themselves :) -serge [1] https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Kees Cook on 18 Jun 2010 14:00 Hi, On Thu, Jun 17, 2010 at 11:30:54PM +0100, Alan Cox wrote: > - You can give up now. Failure is always an option! :) Nah, I was never deluded into thinking these patches were going to be universally-loved and easy to upstream. I posted them because I want them in, and I'm going to stick with it. > - You can put it together as a security module - which will make people > happy and get your stuff upstream. After that you can have a meaningful > discussion about stacking, although I think you'll find that stacking > is really really hard because you get conflicting behaviour between > security modules and ignoring those conflicts ends up violating at least > one of the security models leaving you worse not better off. > > Your path to making any of the stuff you want happen is via the security > layer and the LSM hooks. Even if you want them stackable and usable with > other modules your starting point is still a security module. Sounds like this really is the only path, with the idea of finding a chaining solution later. Without chaining, it's only useful for people that aren't using a full MAC. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Tetsuo Handa on 18 Jun 2010 22:20
Kees Cook wrote: > If all I cared about was the default Ubuntu distro, I wouldn't forward > these patches at all. As it turns out, I care about all kinds of > configurations, e.g. people using SELinux on Ubuntu, AppArmor on SUSE, > no LSM on Fedora, grsecurity on Gentoo, or TOMOYO on Debian. There are > all kinds of combinations, obviously, and I'm interested in making this > stuff available to anyone and everyone. Security modules supported by distributor's kernels are one of benchmarks for Linux users when deciding distro to use. But it is just one of benchmarks. Linux users do not decide distro only with security modules supported by distributor's kernels. Linux users choose distro with various benchmarks. Forcing Linux users to choose specific distro which supports SELinux in order to use ptrace restriction is nonsense. > The "just use SELinux" reply is tiresome. If "everyone" used SELinux, > there wouldn't be at least 3 other LSMs under active development. SELinux indeed has many functionalities. But SELinux cannot provide ability to perform restriction based on pathnames. "SELinux can do everything" is wrong. If there were an all-in-one application that supports web browsing, mail, writing, music, chat, scheduler etc., will "everyone" use that all-in-one application? At least, I won't use it because it is too complicated to use. I use X-desktop only when I need to use. I use SSH terminal if I can achieve what I want to do. I'm not happy with spending my time for understanding how to configure X-desktop. Being unable to configure SELinux by Linux users leads to SELinux being unavailable for Linux users. If something is blocked by SELinux, Linux users simply set SELINUX=disabled in /etc/selinux/config rather than finding how to configure SELinux because they don't know what functionalities are provided by SELinux and which configuration is wrong. Linux users are seeking for solutions that they can understand and configure by themselves. > The PTRACE, symlink, and other stuff are features people want. If the > point of your argument is that the logic and configuration for each > of these features should be added to every LSM, that's not sensible. > An end user should be able to pick and choose what they want. If I > create the security/hideous/ LSM tree, it would _exclude_ the ability to > use TOMOYO or Smack or SELinux or AppArmor. I have strong complaint about closed nature of LSM community. I believe Linux kernel's duty is to serve userspace applications and Linux users. But whenever discussion about access control arises, the conclusion comes from Linux kernel developer's viewpoint rather than Linux user's viewpoint; i.e. "You can do it using SELinux (or netfilter or whatever in-tree code). Thus spend your time for understanding how to configure it". But that is too difficult for Linux users. No LSM module can provide all functionalities. When users want to introduce a security mechanism that provides specific functionalities, LSM is the only choice. This forces users to give up other security mechanisms that provide different functionalities because LSM is exclusive. Windows users are picking and choosing what they want for security, and are experiencing what combinations are good and what combinations are bad at their own risk. But Linux users can't because LSM developers complain conflicts and deprive Linux users of chances for experiencing what combinations are good and what combinations are bad. LSM modules can't be loaded upon runtime since 2.6.24. 2.6.24 strengthened the barrier for Linux users when they want to choose different security module because replacing vmlinux is a very very high barrier. Linux is behind Windows regarding security hooks. Linux kernel's duty is to serve userspace applications and Linux users, no? Why not to provide Linux users ability to pick and choose what they want at their own risk (rather than complaining conflicts forever)? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |