Features/SELinuxDenyPtrace

= Feature Name = Add a boolean to allow SELinux to turn off all processes ability to ptrace other process.

Summary
This change allows an administrator to prevent all processes on the system from ptrace'ing other processes on the system, including user processes. The ptrace and sys_ptrace access allows one process to read the memory of another process. It also allows one process to manipulate another process running environment, using tools like gdb.

Owner

 * Name: Daniel J Walsh


 * Email: dwalsh@redhat.com

Current status

 * Targeted release: [Fedora 17]
 * Last updated: Mon Jan 23 2012
 * Percentage of completion: 100%

Detailed Description
The deny_ptrace boolean will deny all processes even the unconfined_t domain from being able to ptrace other domains. Because of this it will be optional and turned off by default. The goal of this change is not to prevent processes with the ability to change booleans from turning the boolean off. This means an unconfined_t process running as root could turn off the deny_ptrace boolean and start ptracing other processes. But an unconfined_t user logged into a system without root privs would not be able to ptrace other process even if they are running with the same UID and same SELinux Type.

Lastly this boolean will only effect policy that is shipped by Fedora, so an admin or third party can ship a package that allows ptrace. You can search for all domains that are allowed to ptrace via the following command.


 * 1) sesearch -A -p ptrace,sys_ptrace -C  | grep -v deny_ptrace

This boolean requires Kernel 3.3 or later to avoid lots of AVC messages, since prior to the 3.3 kernel, the ps command will generate lots of AVC messages when run as root.

Benefit to Fedora
The major benefit to Fedora is increased security. Since, no process will be allowed to read the memory of another process. Meaning if you are running a server with lots of processes running as httpd_t or httpd_sys_script_t, they will be prevented from manipulating other process running with the same label. Similarly processes running by a user will not be able to look at the process memory of other processes.

A real world security issue is that processes like gnome-keyring or ssh or firefox which decrypt an encrypted file would have the password sitting in memory. Without this feature a corrupted process would be allowed to examine the other processes memory and potentially steal the secret.

Scope
This change only effects Policy writers and the kernel. Any application like gdb that a programmer or system administrator wanted to run would require the administrator to turn this boolean off.

How To Test
The command


 * 1) sesearch -A -p ptrace,sys_ptrace -C  | grep -v deny_ptrace

On a freshly installed Fedora 17 box should show no output. Turning on the boolean you should see commands like strace and gdb start to fail with permission denied.

A Freshly installed box with the boolean turned on should be able to boot and run properly without generating any AVC messages concerning ptrace or sys_ptrace. Make sure tools like policykit, consolekit, systemd, dbus all seem to be working properly, since these tools tend to read through the /proc/PID file system. In the past reading /proc/PID could generate ptrace and sys_ptrace AVC messages.

User Experience
Most users should never be bothered by this feature being turned on. A programmer wishing to debug an application would be prevented from running the debugger until he turns the feature off.

We should not be seeing AVC's from common running applications when this boolean is turned on, if we do then a bugzilla should be opened against SELinux.

Certain applications like abrt may use the ability to ptrace/strace a process or applications like NetworkManager that execute gdb to get a traceback on a crash will be blocked by this feature. Although they should not fail to gather as much info as possible.

Documentation
This is a brand new feature, so currently there is no upstream documentation, other then this feature description.

Release Notes
SELinux has added a new boolean, deny_ptrace. If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on. This boolean would prevent a rogue process from being able to attack another process or read its memory using tools like ptrace or gdb. Even if the process is running as root, or the process it is trying to attack is running with the same SELinux context and label.

To permanently enable this protection, you execute the following command:

setsebool -P deny_ptrace 1

If you want to be able to debug another process you can temporarly disable this boolean by executing

setsebool deny_ptrace 0

Comments and Discussion

 * See Talk:Features/SELinuxDenyPtrace