mirror of https://github.com/mkerrisk/man-pages
ptrace.2: Minor fixes after review by Kees Cook
Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
e48ed83a6a
commit
028b5760e8
|
@ -2319,7 +2319,8 @@ and
|
||||||
The goal of such restrictions is to prevent attack escalation whereby
|
The goal of such restrictions is to prevent attack escalation whereby
|
||||||
a compromised process can ptrace-attach to other sensitive processes
|
a compromised process can ptrace-attach to other sensitive processes
|
||||||
(e.g., a GPG agent or an SSH session) owned by the user in order
|
(e.g., a GPG agent or an SSH session) owned by the user in order
|
||||||
to gain additional credentials and thus expand the scope of the attack.
|
to gain additional credentials that may exist in memory
|
||||||
|
and thus expand the scope of the attack.
|
||||||
|
|
||||||
More precisely, the Yama LSM limits two types of operations:
|
More precisely, the Yama LSM limits two types of operations:
|
||||||
.IP * 3
|
.IP * 3
|
||||||
|
@ -2358,12 +2359,12 @@ capability in the user namespace of the target process or
|
||||||
it must have a predefined relationship with the target process.
|
it must have a predefined relationship with the target process.
|
||||||
By default,
|
By default,
|
||||||
the predefined relationship is that the target process
|
the predefined relationship is that the target process
|
||||||
must be a child of the caller.
|
must be a descendant of the caller.
|
||||||
|
|
||||||
A target process can employ the
|
A target process can employ the
|
||||||
.BR prctl (2)
|
.BR prctl (2)
|
||||||
.B PR_SET_PTRACER
|
.B PR_SET_PTRACER
|
||||||
operation to declare a different PID that is allowed to perform
|
operation to declare an additional PID that is allowed to perform
|
||||||
.BR PTRACE_MODE_ATTACH
|
.BR PTRACE_MODE_ATTACH
|
||||||
operations on the target.
|
operations on the target.
|
||||||
See the kernel source file
|
See the kernel source file
|
||||||
|
@ -2391,12 +2392,16 @@ operations or trace children that employ
|
||||||
Once this value has been written to the file, it cannot be changed.
|
Once this value has been written to the file, it cannot be changed.
|
||||||
.PP
|
.PP
|
||||||
With respect to values 1 and 2,
|
With respect to values 1 and 2,
|
||||||
note that creating a user namespace effectively removes the Yama protection,
|
note that creating a new user namespace effectively removes the
|
||||||
because the owner of a namespace, when accessing its members from outside, has
|
protection offered by Yama.
|
||||||
.BR CAP_SYS_PTRACE
|
This is because a process in the parent user namespace whose effective
|
||||||
within the namespace.
|
UID matches the UID of the creator of a child namespace
|
||||||
This means that when a process tries to use namespaces to sandbox
|
has all capabilities (including
|
||||||
itself, it inadvertently weakens the protections offered by the Yama LSM.
|
.BR CAP_SYS_PTRACE )
|
||||||
|
when performing operations within the child user namespace
|
||||||
|
(and further-removed descendants of that namespace).
|
||||||
|
Consequently, when a process tries to use user namespaces to sandbox itself,
|
||||||
|
it inadvertently weakens the protections offered by the Yama LSM.
|
||||||
.\"
|
.\"
|
||||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||||
.\"
|
.\"
|
||||||
|
|
Loading…
Reference in New Issue