| Kees Cook | 730daa1 | 2015-07-23 18:02:48 -0700 | [diff] [blame] | 1 | Yama is a Linux Security Module that collects system-wide DAC security |
| 2 | protections that are not handled by the core kernel itself. This is |
| 3 | selectable at build-time with CONFIG_SECURITY_YAMA, and can be controlled |
| 4 | at run-time through sysctls in /proc/sys/kernel/yama: |
| Kees Cook | 2d51448 | 2011-12-21 12:17:04 -0800 | [diff] [blame] | 5 | |
| 6 | - ptrace_scope |
| 7 | |
| 8 | ============================================================== |
| 9 | |
| 10 | ptrace_scope: |
| 11 | |
| 12 | As Linux grows in popularity, it will become a larger target for |
| 13 | malware. One particularly troubling weakness of the Linux process |
| 14 | interfaces is that a single user is able to examine the memory and |
| 15 | running state of any of their processes. For example, if one application |
| 16 | (e.g. Pidgin) was compromised, it would be possible for an attacker to |
| 17 | attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, |
| 18 | etc) to extract additional credentials and continue to expand the scope |
| 19 | of their attack without resorting to user-assisted phishing. |
| 20 | |
| 21 | This is not a theoretical problem. SSH session hijacking |
| 22 | (http://www.storm.net.nz/projects/7) and arbitrary code injection |
| 23 | (http://c-skills.blogspot.com/2007/05/injectso.html) attacks already |
| 24 | exist and remain possible if ptrace is allowed to operate as before. |
| 25 | Since ptrace is not commonly used by non-developers and non-admins, system |
| 26 | builders should be allowed the option to disable this debugging system. |
| 27 | |
| 28 | For a solution, some applications use prctl(PR_SET_DUMPABLE, ...) to |
| 29 | specifically disallow such ptrace attachment (e.g. ssh-agent), but many |
| 30 | do not. A more general solution is to only allow ptrace directly from a |
| 31 | parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still |
| 32 | work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID" |
| 33 | still work as root). |
| 34 | |
| Kees Cook | 389da25 | 2012-04-16 11:56:45 -0700 | [diff] [blame] | 35 | In mode 1, software that has defined application-specific relationships |
| Kees Cook | 2d51448 | 2011-12-21 12:17:04 -0800 | [diff] [blame] | 36 | between a debugging process and its inferior (crash handlers, etc), |
| 37 | prctl(PR_SET_PTRACER, pid, ...) can be used. An inferior can declare which |
| Carlos Garcia | c98be0c | 2014-04-04 22:31:00 -0400 | [diff] [blame] | 38 | other process (and its descendants) are allowed to call PTRACE_ATTACH |
| Kees Cook | 2d51448 | 2011-12-21 12:17:04 -0800 | [diff] [blame] | 39 | against it. Only one such declared debugging process can exists for |
| 40 | each inferior at a time. For example, this is used by KDE, Chromium, and |
| 41 | Firefox's crash handlers, and by Wine for allowing only Wine processes |
| Kees Cook | bf06189 | 2012-02-14 16:48:09 -0800 | [diff] [blame] | 42 | to ptrace each other. If a process wishes to entirely disable these ptrace |
| 43 | restrictions, it can call prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...) |
| 44 | so that any otherwise allowed process (even those in external pid namespaces) |
| 45 | may attach. |
| 46 | |
| Kees Cook | 9d8dad7 | 2012-08-09 19:01:26 -0700 | [diff] [blame] | 47 | The sysctl settings (writable only with CAP_SYS_PTRACE) are: |
| Kees Cook | 2d51448 | 2011-12-21 12:17:04 -0800 | [diff] [blame] | 48 | |
| 49 | 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other |
| 50 | process running under the same uid, as long as it is dumpable (i.e. |
| 51 | did not transition uids, start privileged, or have called |
| Kees Cook | 9d8dad7 | 2012-08-09 19:01:26 -0700 | [diff] [blame] | 52 | prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is |
| 53 | unchanged. |
| Kees Cook | 2d51448 | 2011-12-21 12:17:04 -0800 | [diff] [blame] | 54 | |
| 55 | 1 - restricted ptrace: a process must have a predefined relationship |
| 56 | with the inferior it wants to call PTRACE_ATTACH on. By default, |
| 57 | this relationship is that of only its descendants when the above |
| 58 | classic criteria is also met. To change the relationship, an |
| 59 | inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare |
| 60 | an allowed debugger PID to call PTRACE_ATTACH on the inferior. |
| Kees Cook | 9d8dad7 | 2012-08-09 19:01:26 -0700 | [diff] [blame] | 61 | Using PTRACE_TRACEME is unchanged. |
| Kees Cook | 2d51448 | 2011-12-21 12:17:04 -0800 | [diff] [blame] | 62 | |
| Kees Cook | 389da25 | 2012-04-16 11:56:45 -0700 | [diff] [blame] | 63 | 2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace |
| Kees Cook | 9d8dad7 | 2012-08-09 19:01:26 -0700 | [diff] [blame] | 64 | with PTRACE_ATTACH, or through children calling PTRACE_TRACEME. |
| Kees Cook | 389da25 | 2012-04-16 11:56:45 -0700 | [diff] [blame] | 65 | |
| Kees Cook | 9d8dad7 | 2012-08-09 19:01:26 -0700 | [diff] [blame] | 66 | 3 - no attach: no processes may use ptrace with PTRACE_ATTACH nor via |
| 67 | PTRACE_TRACEME. Once set, this sysctl value cannot be changed. |
| Kees Cook | 389da25 | 2012-04-16 11:56:45 -0700 | [diff] [blame] | 68 | |
| Kees Cook | 2d51448 | 2011-12-21 12:17:04 -0800 | [diff] [blame] | 69 | The original children-only logic was based on the restrictions in grsecurity. |
| 70 | |
| 71 | ============================================================== |