< Features
| Line 42: | Line 42: | ||
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature. | Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature. | ||
> | --> | ||
The command | The command | ||
| Line 49: | Line 49: | ||
On a freshly installed Fedora 17 box should show no output. Turning on the boolean you should see commands like strace and gdb start to fail. | On a freshly installed Fedora 17 box should show no output. Turning on the boolean you should see commands like strace and gdb start to fail. | ||
== User Experience == | |||
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | |||
Most users should never be bothered by this feature being turned on. A programmer wishing to debug an application would be prevented from running the debugger until he turns the feature off. | |||
We should not be seeing AVC's from common running applications when this boolean is turned on, if we do then a bugzilla should be opened against SELinux. | We should not be seeing AVC's from common running applications when this boolean is turned on, if we do then a bugzilla should be opened against SELinux. | ||
| Line 56: | Line 60: | ||
== Documentation == | == Documentation == | ||
<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | <!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | ||
== Release Notes == | == Release Notes == | ||
Revision as of 16:13, 17 January 2012
Feature Name
Allow SELinux to turn off all processes ability to ptrace another process.
Summary
This change allows an administrator to prevent all processes on the system from ptrace'ing other processes on the system, including user processes. The ptrace and sys_ptracess access allows one process to read the memory of another process. It also potentially allows one process to manipulate another process, using tools like gdb.
Owner
- Name: Daniel J Walsh
- Email: dwalsh@redhat.com
Current status
- Targeted release: [Fedora 17]
- Last updated: Tue Jan 17 2012
- Percentage of completion: 90%
Detailed Description
The boolean will even prevent the unconfined_t domain from being able to ptrace other domains. Because of this it will be optional and turned off by default. The goal of this change is not to prevent processes with the ability to change booleans from turning the boolean off. This means an unconfined_t process running as root could turn off the deny_ptrace boolean and start ptracing other processes. But an unconfined_t user logged into a system without root privs would not be able to ptrace another process.
Lastly this boolean will only effect policy that is shipped by Fedora, so an admin or third party can ship a package that allows ptrace. You can search for all domains that are allowed to ptrace via the following command.
- sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace
One problem with removing the ptrace permission is currently the "ps -e" command running as root requires ptrace, we need an update to the kernel to change this.
Benefit to Fedora
The major benefit to Fedora is increased security to know that one process can not read the memory of another process. Meaning if you are running a server with lots of processes running as httpd_t or httpd_sys_content_t, they will be prevented from manipulating other process running with the same label. Similarly processes running by a user will not be able to look at the process memory of other processes. A real world security issue is that processes like gnome-keyring or ssh or firefox which decrypt an encrypted file would have the password sitting in memory. Without this feature a corrupted process would be allowed to examine the other processes memory and potentially steal the secret.
Scope
This change only effects Policy writers and the kernel. Any application like gdb that a programmer or system administrator wanted to run would require the administrator to turn this boolean off.
How To Test
The command
- sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace
On a freshly installed Fedora 17 box should show no output. Turning on the boolean you should see commands like strace and gdb start to fail.
User Experience
Most users should never be bothered by this feature being turned on. A programmer wishing to debug an application would be prevented from running the debugger until he turns the feature off.
We should not be seeing AVC's from common running applications when this boolean is turned on, if we do then a bugzilla should be opened against SELinux.
Certain applications like abrt may use the ability to ptrace/strace a process or applications like NetworkManager that execute gdb to get a traceback on a crash will be blocked by this feature. Although they should not fail to gather as much info as possible.