summaryrefslogtreecommitdiffhomepage
path: root/pkg/abi/linux
diff options
context:
space:
mode:
authorDean Deng <deandeng@google.com>2021-02-24 02:01:38 -0800
committergVisor bot <gvisor-bot@google.com>2021-02-24 02:03:16 -0800
commitacd516cfe2920006a5d2760c78bd2245d498023a (patch)
treea60c57de55b821e6dd33bf2cfa37feb09903c2a2 /pkg/abi/linux
parent6e000d3424c0eed685483f54348c6b0a752a0435 (diff)
Add YAMA security module restrictions on ptrace(2).
Restrict ptrace(2) according to the default configurations of the YAMA security module (mode 1), which is a common default among various Linux distributions. The new access checks only permit the tracer to proceed if one of the following conditions is met: a) The tracer is already attached to the tracee. b) The target is a descendant of the tracer. c) The target has explicitly given permission to the tracer through the PR_SET_PTRACER prctl. d) The tracer has CAP_SYS_PTRACE. See security/yama/yama_lsm.c for more details. Note that these checks are added to CanTrace, which is checked for PTRACE_ATTACH as well as some other operations, e.g., checking a process' memory layout through /proc/[pid]/mem. Since this patch adds restrictions to ptrace, it may break compatibility for applications run by non-root users that, for instance, rely on being able to trace processes that are not descended from the tracer (e.g., `gdb -p`). YAMA restrictions can be turned off by setting /proc/sys/kernel/yama/ptrace_scope to 0, or exceptions can be made on a per-process basis with the PR_SET_PTRACER prctl. Reported-by: syzbot+622822d8bca08c99e8c8@syzkaller.appspotmail.com PiperOrigin-RevId: 359237723
Diffstat (limited to 'pkg/abi/linux')
-rw-r--r--pkg/abi/linux/prctl.go5
-rw-r--r--pkg/abi/linux/ptrace.go6
2 files changed, 11 insertions, 0 deletions
diff --git a/pkg/abi/linux/prctl.go b/pkg/abi/linux/prctl.go
index 391cfaa1c..41118c3b4 100644
--- a/pkg/abi/linux/prctl.go
+++ b/pkg/abi/linux/prctl.go
@@ -144,6 +144,11 @@ const (
// PR_MPX_DISABLE_MANAGEMENT disables kernel management of Memory
// Protection eXtensions (MPX) bounds tables.
PR_MPX_DISABLE_MANAGEMENT = 44
+
+ // PR_SET_PTRACER allows a specific process (or any, if PR_SET_PTRACER_ANY is
+ // specified) to ptrace the current task.
+ PR_SET_PTRACER = 0x59616d61
+ PR_SET_PTRACER_ANY = -1
)
// From <asm/prctl.h>
diff --git a/pkg/abi/linux/ptrace.go b/pkg/abi/linux/ptrace.go
index 23e605ab2..db1c6a0d8 100644
--- a/pkg/abi/linux/ptrace.go
+++ b/pkg/abi/linux/ptrace.go
@@ -87,3 +87,9 @@ const (
PTRACE_O_EXITKILL = 1 << 20
PTRACE_O_SUSPEND_SECCOMP = 1 << 21
)
+
+// YAMA ptrace_scope levels from security/yama/yama_lsm.c.
+const (
+ YAMA_SCOPE_DISABLED = 0
+ YAMA_SCOPE_RELATIONAL = 1
+)