ptrace: allow restriction of ptrace scope
in [Kernel]
|
From: Kees Cook on 17 Jun 2010 18:00 On Thu, Jun 17, 2010 at 10:18:15PM +0100, Alan Cox wrote: > > > Thats a nonsensical configuration so we don't care. If you are using > > > SELinux you just do it via SELinux. If you are doing it via > > > UbuntuHasToBeDifferent then you do it via that. > > > > > > Well, surely there are people who use something other than Ubuntu > > and also care about not using SELinux... eh? > > Then they can load UbuntuSecurity and use that, just enabling the > features they want. > > I'm not against the Ubuntu stuff getting beaten into a security module > and put where it belongs. Far from it - I just want to see it put where > it belongs, which is not junk randomly spewed over the tree. Doubly so > when they do it wrong *because* they are not using the security hooks. > > It seems pretty easy to me. Kees needs to package up the grsecurity > features that Ubuntu thinks are valuable into security/something/... with > a set of sysfs entries to turn on/off the various features. Ubuntu is > happy, people who want a simple set of sysfs feature controls for > security are happy and nobody else will even notice. > > It'll appeal to some people because it looks easy to work and it won't > upset anyone else because its all nicely filed away where it belongs. If all I cared about was the default Ubuntu distro, I wouldn't forward these patches at all. As it turns out, I care about all kinds of configurations, e.g. people using SELinux on Ubuntu, AppArmor on SUSE, no LSM on Fedora, grsecurity on Gentoo, or TOMOYO on Debian. There are all kinds of combinations, obviously, and I'm interested in making this stuff available to anyone and everyone. The "just use SELinux" reply is tiresome. If "everyone" used SELinux, there wouldn't be at least 3 other LSMs under active development. Ignore that my email ends in "@canonical.com", as it seems to be distracting these discussions. The PTRACE, symlink, and other stuff are features people want. If the point of your argument is that the logic and configuration for each of these features should be added to every LSM, that's not sensible. An end user should be able to pick and choose what they want. If I create the security/hideous/ LSM tree, it would _exclude_ the ability to use TOMOYO or Smack or SELinux or AppArmor. At present, I'm aware of global PTRACE control being possible in SELinux, AppArmor, grsecurity, and as a patch in Ubuntu's kernel. I don't know about TOMOYO or Smack, but configuring the default scope of PTRACE in at least 4 different ways so far (or not being able to change it at all) just seems crazy. If the security API allowed the end user to pick and choose the features they wanted, then those features would be developed in a single place and configured in a single way. Since that's not possible, I'm proposing these features be central, and configured via /proc/sys. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Alan Cox on 17 Jun 2010 18:20 > And for them, it certainly seems like a good idea to be able to turn off > PTRACE without having to fiddle with an LSM. But that *is* an LSM, its a security policy. You don't seem to get it - even the default kernel security is a security policy (security/commoncap.c etc) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Kees Cook on 17 Jun 2010 18:30 On Thu, Jun 17, 2010 at 11:18:59PM +0100, Alan Cox wrote: > > And for them, it certainly seems like a good idea to be able to turn off > > PTRACE without having to fiddle with an LSM. > > But that *is* an LSM, its a security policy. > > You don't seem to get it - even the default kernel security is a > security policy (security/commoncap.c etc) I do get it. I also get that every LSM calls out to commoncap, making it effectively stacked with the primary LSM -- the only LSM that gets stacked. In fact, this is how I even started implementing these features: as patches to commoncap, but James preferred it to be in core since they are of general utility. But core people want the changes in security/ instead. I don't mind putting them in commoncap at all. I would just like people to agree on what they disagree about. :) -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Alan Cox on 17 Jun 2010 18:30 > The "just use SELinux" reply is tiresome. If "everyone" used SELinux, > there wouldn't be at least 3 other LSMs under active development. People using SELinux, SMACK and the other LSMs already *have* this feature (done right, unlike the version you posted). > The PTRACE, symlink, and other stuff are features people want. If the > point of your argument is that the logic and configuration for each > of these features should be added to every LSM, that's not sensible. > An end user should be able to pick and choose what they want. If I > create the security/hideous/ LSM tree, it would _exclude_ the ability to > use TOMOYO or Smack or SELinux or AppArmor. This is like trying to have two different file systems on the same partition at once. We tried stackability - the reason LSMs don't currently stack neatly is because it turned out to be a very bad idea. If you want to fix that by implementing a stacking LSM which has your switches then do that. > At present, I'm aware of global PTRACE control being possible in SELinux, > AppArmor, grsecurity, and as a patch in Ubuntu's kernel. I don't know > about TOMOYO or Smack, but configuring the default scope of PTRACE in > at least 4 different ways so far (or not being able to change it at all) > just seems crazy. So you want to add a fifth. It won't replace the others because its not as flexible. How does having five help ? > If the security API allowed the end user to pick and choose the features > they wanted, then those features would be developed in a single place > and configured in a single way. Since that's not possible, I'm proposing > these features be central, and configured via /proc/sys. They *are* central, which is why we have the security directory and the security hooks abstracted into one central location. So if you care about everyone then do it right - put it in its own LSM. After that or in parallel you can look at how it needs to interact to make it stackable. That's a door that the integrity/ima work has partly re-opened already. Really you have three choices - You can keep trying to put stuff in places it doesn't belong, in which case you'll keep getting NAKs from people like Christoph and from Al Viro and then give up. - You can give up now. - You can put it together as a security module - which will make people happy and get your stuff upstream. After that you can have a meaningful discussion about stacking, although I think you'll find that stacking is really really hard because you get conflicting behaviour between security modules and ignoring those conflicts ends up violating at least one of the security models leaving you worse not better off. Your path to making any of the stuff you want happen is via the security layer and the LSM hooks. Even if you want them stackable and usable with other modules your starting point is still a security module. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Alan Cox on 17 Jun 2010 18:40
> I don't mind putting them in commoncap at all. I would just like people > to agree on what they disagree about. :) I don't believe they belong in commoncap, but as something which can sit on top of commoncap and then be dropped into by the security modules that makes total sense. (Really thats just the stacking debate and how to dodge it ;)) Ie you'd have optionally: LSMs optionally: cap_switches required: commoncap -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |