From Fedora Project Wiki
(reverting the "default on" documentation changes, as selinux-policy-3.10.0-112 corrects it)
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Feature Name <!-- The name of your feature --> =
= Feature Name <!-- The name of your feature --> =
Allow SELinux to turn off all processes ability to ptrace another process.
Add a boolean to allow SELinux to turn off all processes ability to ptrace other process.
== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
This change allows an administrator to prevent all processes on the system from ptrace'ing other processes on the system, including user processes.  The ptrace and sys_ptracess access allows one process to read the memory of another process.  It also potentially allows one process to manipulate another process, using tools like gdb.
This change allows an administrator to prevent all processes on the system from ptrace'ing other processes on the system, including user processes.  The ptrace and sys_ptrace access allows one process to read the memory of another process.  It also allows one process to manipulate another process running environment, using tools like gdb.


== Owner ==
== Owner ==
Line 14: Line 14:
== Current status ==
== Current status ==
* Targeted release: [Fedora 17]  
* Targeted release: [Fedora 17]  
* Last updated: Tue Jan 17 2012
* Last updated: Mon Jan 23 2012
* Percentage of completion: 90%
* Percentage of completion: 100%


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
Line 22: Line 22:
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->


The boolean will even prevent the unconfined_t domain from being able to ptrace other domains.  Because of this it will be optional and turned off by default.  The goal of this change is not to prevent processes with the ability to change booleans from turning the boolean off.  This means an unconfined_t process running as root could turn off the deny_ptrace boolean and start ptracing other processes.  But an unconfined_t user logged into a system without root privs would not be able to ptrace another process.
The deny_ptrace boolean will deny all processes even the unconfined_t domain from being able to ptrace other domains.  Because of this it will be optional and turned off by default.  The goal of this change is not to prevent processes with the ability to change booleans from turning the boolean off.  This means an unconfined_t process running as root could turn off the deny_ptrace boolean and start ptracing other processes.  But an unconfined_t user logged into a system without root privs would not be able to ptrace other process even if they are running with the same UID and same SELinux Type.


Lastly this boolean will only effect policy that is shipped by Fedora, so an admin or third party can ship a package that allows ptrace.  You can search for all domains that are allowed to ptrace via the following command.
Lastly this boolean will only effect policy that is shipped by Fedora, so an admin or third party can ship a package that allows ptrace.  You can search for all domains that are allowed to ptrace via the following command.
Line 28: Line 28:
# sesearch -A -p ptrace,sys_ptrace -C  | grep -v deny_ptrace
# sesearch -A -p ptrace,sys_ptrace -C  | grep -v deny_ptrace


One problem with removing the ptrace permission is currently the "ps -e" command running as root requires ptrace,  we need an update to the kernel to change this.
This boolean requires Kernel 3.3  or later to avoid lots of AVC messages, since prior to the 3.3 kernel, the ps command will generate lots of AVC messages when run as root.
 
** Note: Requires Kernel 3.3  or later to avoid lots of AVC messages.


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
The major benefit to Fedora is increased security to know that one process can not read the memory of another process.  Meaning if you are running a server with lots of processes running as httpd_t or httpd_sys_content_t, they will be prevented from manipulating other process running with the same label.  Similarly processes running by a user will not be able to look at the process memory of other processes.  A real world security issue is that processes like gnome-keyring or ssh or firefox which decrypt an encrypted file would have the password sitting in memory.  Without this feature a corrupted process would be allowed to examine the other processes memory and potentially steal the secret.
The major benefit to Fedora is increased security. Since, no process will be allowed to read the memory of another process.  Meaning if you are running a server with lots of processes running as httpd_t or httpd_sys_script_t, they will be prevented from manipulating other process running with the same label.  Similarly processes running by a user will not be able to look at the process memory of other processes.   
 
A real world security issue is that processes like gnome-keyring or ssh or firefox which decrypt an encrypted file would have the password sitting in memory.  Without this feature a corrupted process would be allowed to examine the other processes memory and potentially steal the secret.


== Scope ==
== Scope ==
Line 50: Line 50:
# sesearch -A -p ptrace,sys_ptrace -C  | grep -v deny_ptrace
# sesearch -A -p ptrace,sys_ptrace -C  | grep -v deny_ptrace


On a freshly installed Fedora 17 box should show no output.  Turning on the boolean you should see commands like strace and gdb start to fail.
On a freshly installed Fedora 17 box should show no output.  Turning on the boolean you should see commands like strace and gdb start to fail with permission denied.
 
A Freshly installed box with the boolean turned on should be able to boot and run properly without generating any AVC messages concerning ptrace or sys_ptrace.  Make sure tools like policykit, consolekit, systemd, dbus all seem to be working properly, since these tools tend to read through the /proc/PID file system.  In the past reading /proc/PID could generate ptrace and sys_ptrace AVC messages.


== User Experience ==
== User Experience ==
Line 63: Line 65:
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->


This is a brand new feature, so currently there is no upstream documentation, other then this feature description.
== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
SELinux has added a new boolean, deny_ptrace.  If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on.  This boolean would prevent a rogue process from being able to attack another process or read its memory using tools like ptrace or gdb.  Even if the process is running as root, or the process it is trying to attack is running with the same SELinux context and label.
To permanently enable this protection, you execute the following command:
setsebool -P deny_ptrace 1
If you want to be able to debug another process you can temporarly disable this boolean by executing
setsebool deny_ptrace 0




== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/SELinuxDenyPtrace]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->




[[Category:FeatureReadyForWrangler]]
[[Category:FeatureAcceptedF17]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 16:13, 11 April 2012

Feature Name

Add a boolean to allow SELinux to turn off all processes ability to ptrace other process.

Summary

This change allows an administrator to prevent all processes on the system from ptrace'ing other processes on the system, including user processes. The ptrace and sys_ptrace access allows one process to read the memory of another process. It also allows one process to manipulate another process running environment, using tools like gdb.

Owner

  • Email: dwalsh@redhat.com

Current status

  • Targeted release: [Fedora 17]
  • Last updated: Mon Jan 23 2012
  • Percentage of completion: 100%


Detailed Description

The deny_ptrace boolean will deny all processes even the unconfined_t domain from being able to ptrace other domains. Because of this it will be optional and turned off by default. The goal of this change is not to prevent processes with the ability to change booleans from turning the boolean off. This means an unconfined_t process running as root could turn off the deny_ptrace boolean and start ptracing other processes. But an unconfined_t user logged into a system without root privs would not be able to ptrace other process even if they are running with the same UID and same SELinux Type.

Lastly this boolean will only effect policy that is shipped by Fedora, so an admin or third party can ship a package that allows ptrace. You can search for all domains that are allowed to ptrace via the following command.

  1. sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace

This boolean requires Kernel 3.3 or later to avoid lots of AVC messages, since prior to the 3.3 kernel, the ps command will generate lots of AVC messages when run as root.

Benefit to Fedora

The major benefit to Fedora is increased security. Since, no process will be allowed to read the memory of another process. Meaning if you are running a server with lots of processes running as httpd_t or httpd_sys_script_t, they will be prevented from manipulating other process running with the same label. Similarly processes running by a user will not be able to look at the process memory of other processes.

A real world security issue is that processes like gnome-keyring or ssh or firefox which decrypt an encrypted file would have the password sitting in memory. Without this feature a corrupted process would be allowed to examine the other processes memory and potentially steal the secret.

Scope

This change only effects Policy writers and the kernel. Any application like gdb that a programmer or system administrator wanted to run would require the administrator to turn this boolean off.

How To Test

The command

  1. sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace

On a freshly installed Fedora 17 box should show no output. Turning on the boolean you should see commands like strace and gdb start to fail with permission denied.

A Freshly installed box with the boolean turned on should be able to boot and run properly without generating any AVC messages concerning ptrace or sys_ptrace. Make sure tools like policykit, consolekit, systemd, dbus all seem to be working properly, since these tools tend to read through the /proc/PID file system. In the past reading /proc/PID could generate ptrace and sys_ptrace AVC messages.

User Experience

Most users should never be bothered by this feature being turned on. A programmer wishing to debug an application would be prevented from running the debugger until he turns the feature off.

We should not be seeing AVC's from common running applications when this boolean is turned on, if we do then a bugzilla should be opened against SELinux.

Certain applications like abrt may use the ability to ptrace/strace a process or applications like NetworkManager that execute gdb to get a traceback on a crash will be blocked by this feature. Although they should not fail to gather as much info as possible.

Documentation

This is a brand new feature, so currently there is no upstream documentation, other then this feature description.

Release Notes

SELinux has added a new boolean, deny_ptrace. If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on. This boolean would prevent a rogue process from being able to attack another process or read its memory using tools like ptrace or gdb. Even if the process is running as root, or the process it is trying to attack is running with the same SELinux context and label.

To permanently enable this protection, you execute the following command:

setsebool -P deny_ptrace 1

If you want to be able to debug another process you can temporarly disable this boolean by executing

setsebool deny_ptrace 0


Comments and Discussion