From Fedora Project Wiki
(reverting the "default on" documentation changes, as selinux-policy-3.10.0-112 corrects it)
 
(5 intermediate revisions by the same user not shown)
Line 3: Line 3:
== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
This change allows an administrator to prevent all processes on the system from ptrace'ing other processes on the system, including user processes.  The ptrace and sys_ptrace access allows one process to read the memory of another process.  It also allows one process to manipulate another process running envoronment, using tools like gdb.
This change allows an administrator to prevent all processes on the system from ptrace'ing other processes on the system, including user processes.  The ptrace and sys_ptrace access allows one process to read the memory of another process.  It also allows one process to manipulate another process running environment, using tools like gdb.


== Owner ==
== Owner ==
Line 38: Line 38:
== Scope ==
== Scope ==
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
This change only effects Policy writers and the kernel, and those people who need debugger/tracing type tools.  Any application like strace or gdb that a programmer or system administrator wanted to run would require the administrator to turn this boolean off.
This change only effects Policy writers and the kernel.  Any application like gdb that a programmer or system administrator wanted to run would require the administrator to turn this boolean off.


== How To Test ==
== How To Test ==
Line 65: Line 65:
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->


This is a brand new feature, so currently there is no upstream documentation, other than this feature description.
This is a brand new feature, so currently there is no upstream documentation, other then this feature description.
 
== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
Line 72: Line 71:
SELinux has added a new boolean, deny_ptrace.  If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on.  This boolean would prevent a rogue process from being able to attack another process or read its memory using tools like ptrace or gdb.  Even if the process is running as root, or the process it is trying to attack is running with the same SELinux context and label.
SELinux has added a new boolean, deny_ptrace.  If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on.  This boolean would prevent a rogue process from being able to attack another process or read its memory using tools like ptrace or gdb.  Even if the process is running as root, or the process it is trying to attack is running with the same SELinux context and label.


The new default is to permanently enable this protection, you execute the following command:
To permanently enable this protection, you execute the following command:


setsebool -P deny_ptrace 1
setsebool -P deny_ptrace 1
Line 79: Line 78:


setsebool deny_ptrace 0
setsebool deny_ptrace 0


== Comments and Discussion ==
== Comments and Discussion ==

Latest revision as of 16:13, 11 April 2012

Feature Name

Add a boolean to allow SELinux to turn off all processes ability to ptrace other process.

Summary

This change allows an administrator to prevent all processes on the system from ptrace'ing other processes on the system, including user processes. The ptrace and sys_ptrace access allows one process to read the memory of another process. It also allows one process to manipulate another process running environment, using tools like gdb.

Owner

  • Email: dwalsh@redhat.com

Current status

  • Targeted release: [Fedora 17]
  • Last updated: Mon Jan 23 2012
  • Percentage of completion: 100%


Detailed Description

The deny_ptrace boolean will deny all processes even the unconfined_t domain from being able to ptrace other domains. Because of this it will be optional and turned off by default. The goal of this change is not to prevent processes with the ability to change booleans from turning the boolean off. This means an unconfined_t process running as root could turn off the deny_ptrace boolean and start ptracing other processes. But an unconfined_t user logged into a system without root privs would not be able to ptrace other process even if they are running with the same UID and same SELinux Type.

Lastly this boolean will only effect policy that is shipped by Fedora, so an admin or third party can ship a package that allows ptrace. You can search for all domains that are allowed to ptrace via the following command.

  1. sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace

This boolean requires Kernel 3.3 or later to avoid lots of AVC messages, since prior to the 3.3 kernel, the ps command will generate lots of AVC messages when run as root.

Benefit to Fedora

The major benefit to Fedora is increased security. Since, no process will be allowed to read the memory of another process. Meaning if you are running a server with lots of processes running as httpd_t or httpd_sys_script_t, they will be prevented from manipulating other process running with the same label. Similarly processes running by a user will not be able to look at the process memory of other processes.

A real world security issue is that processes like gnome-keyring or ssh or firefox which decrypt an encrypted file would have the password sitting in memory. Without this feature a corrupted process would be allowed to examine the other processes memory and potentially steal the secret.

Scope

This change only effects Policy writers and the kernel. Any application like gdb that a programmer or system administrator wanted to run would require the administrator to turn this boolean off.

How To Test

The command

  1. sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace

On a freshly installed Fedora 17 box should show no output. Turning on the boolean you should see commands like strace and gdb start to fail with permission denied.

A Freshly installed box with the boolean turned on should be able to boot and run properly without generating any AVC messages concerning ptrace or sys_ptrace. Make sure tools like policykit, consolekit, systemd, dbus all seem to be working properly, since these tools tend to read through the /proc/PID file system. In the past reading /proc/PID could generate ptrace and sys_ptrace AVC messages.

User Experience

Most users should never be bothered by this feature being turned on. A programmer wishing to debug an application would be prevented from running the debugger until he turns the feature off.

We should not be seeing AVC's from common running applications when this boolean is turned on, if we do then a bugzilla should be opened against SELinux.

Certain applications like abrt may use the ability to ptrace/strace a process or applications like NetworkManager that execute gdb to get a traceback on a crash will be blocked by this feature. Although they should not fail to gather as much info as possible.

Documentation

This is a brand new feature, so currently there is no upstream documentation, other then this feature description.

Release Notes

SELinux has added a new boolean, deny_ptrace. If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on. This boolean would prevent a rogue process from being able to attack another process or read its memory using tools like ptrace or gdb. Even if the process is running as root, or the process it is trying to attack is running with the same SELinux context and label.

To permanently enable this protection, you execute the following command:

setsebool -P deny_ptrace 1

If you want to be able to debug another process you can temporarly disable this boolean by executing

setsebool deny_ptrace 0


Comments and Discussion