LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SELinuxDenyPtrace and security by default

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 10:32 UTC (Thu) by tialaramex (subscriber, #21167)
In reply to: SELinuxDenyPtrace and security by default by JoeBuck
Parent article: SELinuxDenyPtrace and security by default

Roughly the same problem exists on locked down Windows (installing a debugger hook requires System privileges, but the local user may not legitimately have System privileges) and presumably companies that want their C or C++ developers to be at all effective have come up with a policy and mechanisms to handle this case.

Would it be better to have millions of locked down machines where the user doesn't need ptrace and there is a boolean that would disable it, but the user lacks privileges to enable that boolean?

I _think_ SELinux could be configured to grant ptrace rights to binaries like gdb, but the problem is that this mostly undoes the security benefit of removing the privilege in the first place.

Maybe a nice alternative would be to enable ptrace by default only for processes which are marked at exec-time in some way as volunteering to be traced. The "your children" rule is a primitive version of this restriction, but a smarter one could allow for almost all legitimate debugging. The only special case where you'd want to turn off the boolean then would be debugging of a production system that has some error you can't reproduce under test conditions yet must anyhow diagnose and fix. That's a narrow enough case that requiring people to jump through hoops ought to be acceptable.

(Log in to post comments)

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 13:48 UTC (Thu) by cesarb (subscriber, #6266) [Link]

> Maybe a nice alternative would be to enable ptrace by default only for processes which are marked at exec-time in some way as volunteering to be traced.

Android has something like that, the android:debuggable attribute:

https://developer.android.com/guide/topics/manifest/appli...

SELinuxDenyPtrace and security by default

Posted Apr 13, 2012 15:50 UTC (Fri) by bronson (subscriber, #4806) [Link]

That doesn't fix the drkonqui problem... Maybe reverse the sense? Only allow programs marked by root as ptrace-trusted to run ptrace?

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 14:23 UTC (Thu) by niner (subscriber, #26151) [Link]

"presumably companies that want their C or C++ developers to be at all effective have come up with a policy and mechanisms to handle this case."

The policy is to let the developers work as local administrator which hardly is an improvement over unrestricted ptrace...

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 14:33 UTC (Thu) by raven667 (subscriber, #5198) [Link]

That's still an improvement over everyone who is not developing software also having this enabled.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds