SELinuxDenyPtrace and security by default

The Unix process model gives each process its own address space and isolates processes from each other; one process cannot access another's memory unless the two have explicitly agreed to share it. This boundary should enable one process to keep secrets from another, but there is an exception: the walls between process can be breached with the ptrace() system call. With the goal of improving security, distributors have been making changes to make that wall harder to penetrate. But, as a discussion regarding security options in the upcoming Fedora 17 release shows, there is an ongoing tension between the goals of improving security and making a distribution that is useful to its users.

ptrace() exists primarily to facilitate debugging; it is used by debuggers like gdb to stop and start a process, set breakpoints, and to examine and change memory contents. Other useful commands, like strace, also need ptrace() to function properly. The rules for ptrace() were designed in the era of relatively isolated, multi-user systems; their primary intent is to protect users from each other. So an unprivileged user is unable to use ptrace() on a process owned by a different user. But any user can employ ptrace() freely on his or her own processes.

As Dan Walsh has noted, the effects of this policy can be surprising for contemporary users:

In other words, anybody who can run code as a given user (through an exploit, say, or via a browser plugin) can use ptrace() to examine (and change) the behavior and memory of any other process owned by that user. The potential for the compromise of personal information is clear. How to solve that problem is, perhaps, a bit less so.

Dan's answer is a Fedora feature called SELinuxDenyPtrace. As one might expect from the name, this feature uses SELinux policy to disable access to the ptrace() command for all users. When Fedora's engineering steering committee (FESCO) approved this feature for the Fedora 17 release, most of its members were apparently under the impression that the feature would be turned off by default; indeed, the feature page still says:

Given that, a number of early testers of the upcoming Fedora 17 beta release have been surprised to discover that the feature is, instead, turned on by default. As a result, commands like gdb and strace fail to work. The KDE "DrKonqi" crash reporter is also broken by this setting. Needless to say, software development on such a system is a less enjoyable task. The resulting behavior is also simply surprising; as Mark Wielaard put it when he raised the issue:

Dan responded that "if you understand what ptrace or gdb are, you probably can figure out how to turn this feature off." Others, however, have argued that a Fedora install should be useful to developers by default and that forcing developers to figure out how to toggle an SELinux setting is a step in the wrong direction. As of this writing, it appears that this argument has prevailed and that ptrace() will be enabled by default in the Fedora 17 final release.

Should that happen, though, the question is likely to return in the Fedora 18 cycle. And Fedora is not alone in this quest; Ubuntu, too, has disabled the use of ptrace() by default, though the mechanism used in this case (the Yama security module) is different. Various other attempts to restrict the capabilities of running processes exist; these include Android's "every program gets its own user ID" model, reducing the set of available system calls with seccomp, and more. There appears to be little disagreement with the idea that we are surrounded by security threats and that our systems need to become more secure as a result. Protecting a single user's processes from each other is one way (out of many) to address those threats.

On the other hand, there is disagreement over the extent to which becoming more secure should inconvenience or disrupt the work of users. A powered-down machine is quite resilient against online attacks, but users tend to complain about how long it takes to get their work done on such a system. Security developers naturally tend to see the costs of their work as small, easily borne, and more than justified by the benefits; users, for whom the costs are much more immediate, tend to disagree. The result is a lot of tension surrounding security-related decisions.

To an extent, this tension can be a good thing; it can, in the long term, motivate the development of more useful and less intrusive security technologies. But it can frustrate users, who may feel that functionality is being taken from them for no good reason; it can also frustrate security developers who find their efforts to protect those users thwarted. Unfortunately, there is often no easy answer; security is a trade-off with both costs and benefits. So, while the default setting for deny_ptrace in Fedora 17 may have been pushed in the "convenience for users" direction, we can expect the wider discussion to be with us for some time.

Index entries for this article
Security	Distribution security/ptrace()
Security	Security Enhanced Linux (SELinux)

---

to post comments

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 3:44 UTC (Thu) by slashdot (guest, #22014) [Link] (12 responses)

The problem is not really just ptrace, it's that the Linux permission model is fundamentally broken.

Specifically, there should be a strong distinction between the privileges of a USER, and the privileges of a PROGRAM, which should NOT get all the privileges of the user who runs it (actually, it should get none, by default).

It would be nice if someone finally realized this, and fixed the issue, for example by assigning an uid to each user+program combination like Android does.

Like the article says, users nowadays would really like (and sometimes even expect) to run an arbitrary untrusted program WITHOUT it being able to cause any damage.

This includes not being able to put a trojan in $HOME/.profile, logging keystrokes, destroying your documents, etc; fixing all this requires to change the permission model, not paper over ptrace.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 4:47 UTC (Thu) by dlang (guest, #313) [Link] (9 responses)

people also expect to be able to save a spreadsheet from e-mail and then open it as a spreadsheet (or go the other way)

such a thing would be blocked by the "every app has a different userid" approach

things aren't as simple as you would like them to be.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 5:36 UTC (Thu) by slashdot (guest, #22014) [Link] (8 responses)

Well, of course you need additional mechanisms to selectively grant programs the ability to access files, preferably with no changes to applications.

For example, your use case can be fixed with no application changes by making the kernel/glibc:
1. Switch to the proper user+program uid combination upon execve
2. Grant access to all paths listed as command line arguments

Likewise, the GTK/Qt open file dialog APIs need to be fixed to communicate with a trusted daemon that actually opens the dialogs and grants permission.

Again, someone with no clue about computers would never guess that the game they just downloaded can trash all their personal files, since it's simply absurd system behavior.

Why this isn't considered a huge security issue is a mystery to me.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 5:48 UTC (Thu) by dlang (guest, #313) [Link] (7 responses)

and how would you tell the difference between this malicious game and a copy of libreoffice? or a different browser?

how is all this configuration about what applications are allowed to access what programs going to be administered?

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 6:15 UTC (Thu) by slashdot (guest, #22014) [Link] (6 responses)

The copy of LibreOffice has the same permissions of the game: none (i.e. the same as a random uid).

You open files like this:
1. User clicks Open in LibreOffice
2. LibreOffice asks GTK+ to run the Open dialog
3. GTK+ doesn't open the dialog, but instead sends a request via D-Bus to the session file manager
4. The session file manager opens the Open dialog
5. The user selects the file to open
6. The session file manager instructs the kernel LSM to grant access to the user-selected path to LibreOffice
7. The session file manager gives the user-selected path (either as a path, or as an FD over AF_UNIX that becomes /proc/self/fd/#) back to LibreOffice's GTK+ via D-Bus, which then gives it to LibreOffice
8. LibreOffice opens the file

Of course, this also needs a properly designed windows manager that doesn't let random clients simulate keystrokes and other nefarious stuff.

The game can try to do the same, but the user is unlikely to choose his own personal files when asked about which file to open.

Of course, there's a bunch of other scenarios that need to be handled, but it's all fixable with minimal or no changes to applications.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 7:08 UTC (Thu) by hppnq (guest, #14462) [Link] (4 responses)

9. LibreOffice chokes on the malicious input it read from the file.

You can't base your security model on trusting sources that can't be trusted. But maybe you're just taking the mickey.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 9:19 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

So what? If Libreoffice is properly sandboxed then it can't access other files and at most can be used to send out spam (if networking is enabled) until Libreoffice process is killed.

Of course, it leaves the problem of local vulnerabilities. But that's another story.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 9:19 UTC (Thu) by renox (guest, #23785) [Link]

So what? If LibreOffice has no permissions, it cannot do much harm..

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 9:24 UTC (Thu) by slashdot (guest, #22014) [Link] (1 responses)

But it can't do any real damage, because it has no permissions to do so.

Also, with NX and ASLR, it should be next to impossible to actually do anything beyond crashing the application with a single document.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 16:20 UTC (Thu) by hppnq (guest, #14462) [Link]

It's not extremely difficult to see the problem here: if you can't trust your editor if you need to edit your .profile, or if you can't trust it to properly handle its contents -- a program crash is not necessarily involved -- then what good is it to you that you have a secure way of opening it?

Who or what specifies what is or is not permitted?

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 14:23 UTC (Thu) by dgm (subscriber, #49227) [Link]

9. LibreOffice tries to open a second file linked in the document, or via code macro, fails miserably.
10. User swears, disables the broken security measures and goes back to working as usual.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 14:03 UTC (Thu) by mstone (subscriber, #58824) [Link]

As the author of OLPC's circa-2007 "rainbow" uid-based sandboxing system (see http://sandboxing.org), uid-based sandboxing works reasonably well at the level of the kernel but interacts poorly with current free software desktops and is only questionably useful against adaptive adversaries given the rate at which new local privilege escalation attacks are discovered.

SELinuxDenyPtrace and security by default

Posted Apr 13, 2012 6:08 UTC (Fri) by jackb (guest, #41909) [Link]

Specifically, there should be a strong distinction between the privileges of a USER, and the privileges of a PROGRAM, which should NOT get all the privileges of the user who runs it (actually, it should get none, by default).

Isn't that what selinux is all about?

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 6:31 UTC (Thu) by JoeBuck (guest, #2330) [Link] (6 responses)

"if you understand what ptrace or gdb are, you probably can figure out how to turn this feature off."

What Dan misses is that his employer has sold a number of large deployments to corporate customers, where the software developers don't have root on the systems they use. What he also doesn't seem to sufficiently appreciate is that if a security feature has to be turned off to diagnose any problems, everyone will wind up being forced to turn it off so he might has well have saved the work and not bothered with the feature.

That said, of course ptrace can be a security issue. Maybe there can be a more sophisticated way of limiting its use. For example, I don't want my browser, or any helper app that it launches, to be able to ptrace, but if I start a debugger from my terminal, it should be able to trace any non-setuid process I own. Come up with a way to prevent processes we don't expect to use ptrace to be forbidden to do it.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 10:32 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (4 responses)

Roughly the same problem exists on locked down Windows (installing a debugger hook requires System privileges, but the local user may not legitimately have System privileges) and presumably companies that want their C or C++ developers to be at all effective have come up with a policy and mechanisms to handle this case.

Would it be better to have millions of locked down machines where the user doesn't need ptrace and there is a boolean that would disable it, but the user lacks privileges to enable that boolean?

I _think_ SELinux could be configured to grant ptrace rights to binaries like gdb, but the problem is that this mostly undoes the security benefit of removing the privilege in the first place.

Maybe a nice alternative would be to enable ptrace by default only for processes which are marked at exec-time in some way as volunteering to be traced. The "your children" rule is a primitive version of this restriction, but a smarter one could allow for almost all legitimate debugging. The only special case where you'd want to turn off the boolean then would be debugging of a production system that has some error you can't reproduce under test conditions yet must anyhow diagnose and fix. That's a narrow enough case that requiring people to jump through hoops ought to be acceptable.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 13:48 UTC (Thu) by cesarb (subscriber, #6266) [Link] (1 responses)

> Maybe a nice alternative would be to enable ptrace by default only for processes which are marked at exec-time in some way as volunteering to be traced.

Android has something like that, the android:debuggable attribute:

https://developer.android.com/guide/topics/manifest/appli...

SELinuxDenyPtrace and security by default

Posted Apr 13, 2012 15:50 UTC (Fri) by bronson (guest, #4806) [Link]

That doesn't fix the drkonqui problem... Maybe reverse the sense? Only allow programs marked by root as ptrace-trusted to run ptrace?

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 14:23 UTC (Thu) by niner (guest, #26151) [Link] (1 responses)

"presumably companies that want their C or C++ developers to be at all effective have come up with a policy and mechanisms to handle this case."

The policy is to let the developers work as local administrator which hardly is an improvement over unrestricted ptrace...

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 14:33 UTC (Thu) by raven667 (subscriber, #5198) [Link]

That's still an improvement over everyone who is not developing software also having this enabled.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 18:22 UTC (Thu) by Fats (guest, #14882) [Link]

"What Dan misses is that his employer has sold a number of large deployments to corporate customers, where the software developers don't have root on the systems they use."

I do hope this employer then has proper IT group that during testing finds out the ptrace() should be allowed for the programmers. Otherwise I think that company will be doomed because in general they won't be able to properly support their programmers.

greets,
Staf.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 7:24 UTC (Thu) by geertj (guest, #4116) [Link] (3 responses)

Could the problem be solved by allowing ptrace() only to children of the current process? That way debugging and strace would work, but no other process could ptrace() my password safe. And processes could protect themselves against ptracing by reparenting themselves to init.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 9:19 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

That's exactly what Yama in Ubuntu does.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 12:26 UTC (Thu) by spender (guest, #23067) [Link]

What a brilliant idea! Why didn't I think of that in 2009?

Unfortunately Dan Walsh isn't as adept as Ubuntu in copying my ideas and thus has to resort to paranoia as a form of "security" to introduce such "forward-thinking" measures.

-Brad

Children only

Posted Apr 12, 2012 12:59 UTC (Thu) by corbet (editor, #1) [Link]

Being able to trace only children by default is likely to be part of the solution at the end. But, as many people pointed out in the discussion, there are a lot of uses of commands like strace -p, so this policy will still cause problems.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 15:28 UTC (Thu) by kees (subscriber, #27264) [Link] (3 responses)

There's no reason to reinvent the wheel. Just use Yama:

http://lists.fedoraproject.org/pipermail/devel/2012-April...

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 15:44 UTC (Thu) by jake (editor, #205) [Link] (2 responses)

> There's no reason to reinvent the wheel. Just use Yama

Yama is nice, for sure, but doesn't it run afoul of the 'no stacking LSMs' problem here? In order to load Yama by default, wouldn't Fedora have to disable SELinux by default? (some would, of course, claim that as a *good* thing, but it seems a little unlikely that Fedora would go that route)

or am I missing something here?

jake

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 15:58 UTC (Thu) by kees (subscriber, #27264) [Link] (1 responses)

Right, I give an example of how to stack it:
http://git.kernel.org/?p=linux/kernel/git/kees/linux.git;...

My point being that if Eric Paris was going to write out-of-tree code to handle a case that Yama already handles, why not just use the out-of-tree stacking code instead, and gain all the dynamic policy logic that Yama already provides?

Let's not go that way

Posted Apr 15, 2012 9:48 UTC (Sun) by man_ls (guest, #15091) [Link]

Perhaps because stacking security modules would be an implicit assumption that SELinux is not always the right solution to security module problems, and somehow question Fedora's choice. In a few releases Fedora might feel even that SELinux is not really needed at all, and stop enabling it by default. Then admins who have taken the pains to learn SELinux (and perhaps even write some 100k-line configuration files) would feel cheated, and turn to Debian or (gasp) Ubuntu for their needs. Finally Red Hat would lose its market valuation and Canonical would start trading in the Nasdaq making Shuttleworth immensely rich again. Finally the world would get noticeably warmer from all the space trips he would make, and in 100 years civilization as we know it would crumble. It's a slippery slope!

Handle it with the package manager?

Posted Apr 13, 2012 14:22 UTC (Fri) by NRArnot (subscriber, #3033) [Link] (1 responses)

Scientific Linux has several "tweak" packages that alter the behaviour of a system. For example there's one (from memory sl-nocolorls) that turns off the default colorization of ls output.

Wouldn't it be a good idea to have an package "Selinux-allow-ptrace" and bundle it as one of the default packages in the "software developer" group? Also create dependencies so that it is installed if you later install a debugger that won't work until ptrace is allowed?

this way users would not have to be fully clued up. An installation without software development tools would be maximally secure. Installing a debugger would change the default, because the maximally secure default is also maximally useless given that choice.

Handle it with the package manager?

Posted Apr 13, 2012 16:54 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

You don't need a whole new package. Post scripts in any RPM package can turn off SELinux booleans if necessary. However this means that developer systems are not secured. What would be ideal is just gdb or specific tools like that having that access but only if it is initiated by the user and not programs themselves unless they are specifically allowed that access.

use capabilities

Posted May 30, 2012 3:30 UTC (Wed) by jnansi (guest, #33072) [Link]

One way to solve this problem would be to use the capabilities model, to allow specific binaries the permission to call ptrace.