LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

ptrace.2: Minor fixes after review by Kees Cook 

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2016-06-29 07:02:50 +02:00
parent e48ed83a6a
commit 028b5760e8
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
man2/ptrace.2
View File

@ -2319,7 +2319,8 @@ and
The goal of such restrictions is to prevent attack escalation whereby The goal of such restrictions is to prevent attack escalation whereby
a compromised process can ptrace-attach to other sensitive processes a compromised process can ptrace-attach to other sensitive processes
(e.g., a GPG agent or an SSH session) owned by the user in order (e.g., a GPG agent or an SSH session) owned by the user in order
to gain additional credentials and thus expand the scope of the attack. to gain additional credentials that may exist in memory
and thus expand the scope of the attack.
More precisely, the Yama LSM limits two types of operations: More precisely, the Yama LSM limits two types of operations:
.IP * 3 .IP * 3
@ -2358,12 +2359,12 @@ capability in the user namespace of the target process or
it must have a predefined relationship with the target process. it must have a predefined relationship with the target process.
By default, By default,
the predefined relationship is that the target process the predefined relationship is that the target process
must be a child of the caller. must be a descendant of the caller.
A target process can employ the A target process can employ the
.BR prctl (2) .BR prctl (2)
.B PR_SET_PTRACER .B PR_SET_PTRACER
operation to declare a different PID that is allowed to perform operation to declare an additional PID that is allowed to perform
.BR PTRACE_MODE_ATTACH .BR PTRACE_MODE_ATTACH
operations on the target. operations on the target.
See the kernel source file See the kernel source file
@ -2391,12 +2392,16 @@ operations or trace children that employ
Once this value has been written to the file, it cannot be changed. Once this value has been written to the file, it cannot be changed.
.PP .PP
With respect to values 1 and 2, With respect to values 1 and 2,
note that creating a user namespace effectively removes the Yama protection, note that creating a new user namespace effectively removes the
because the owner of a namespace, when accessing its members from outside, has protection offered by Yama.
.BR CAP_SYS_PTRACE This is because a process in the parent user namespace whose effective
within the namespace. UID matches the UID of the creator of a child namespace
This means that when a process tries to use namespaces to sandbox has all capabilities (including
itself, it inadvertently weakens the protections offered by the Yama LSM. .BR CAP_SYS_PTRACE )
when performing operations within the child user namespace
(and further-removed descendants of that namespace).
Consequently, when a process tries to use user namespaces to sandbox itself,
it inadvertently weakens the protections offered by the Yama LSM.
.\" .\"
.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.\" .\"