190bb7664SKees Cook==== 290bb7664SKees CookYama 390bb7664SKees Cook==== 490bb7664SKees Cook 590bb7664SKees CookYama is a Linux Security Module that collects system-wide DAC security 690bb7664SKees Cookprotections that are not handled by the core kernel itself. This is 790bb7664SKees Cookselectable at build-time with ``CONFIG_SECURITY_YAMA``, and can be controlled 890bb7664SKees Cookat run-time through sysctls in ``/proc/sys/kernel/yama``: 990bb7664SKees Cook 1090bb7664SKees Cookptrace_scope 1190bb7664SKees Cook============ 1290bb7664SKees Cook 1390bb7664SKees CookAs Linux grows in popularity, it will become a larger target for 1490bb7664SKees Cookmalware. One particularly troubling weakness of the Linux process 1590bb7664SKees Cookinterfaces is that a single user is able to examine the memory and 1690bb7664SKees Cookrunning state of any of their processes. For example, if one application 1790bb7664SKees Cook(e.g. Pidgin) was compromised, it would be possible for an attacker to 1890bb7664SKees Cookattach to other running processes (e.g. Firefox, SSH sessions, GPG agent, 1990bb7664SKees Cooketc) to extract additional credentials and continue to expand the scope 2090bb7664SKees Cookof their attack without resorting to user-assisted phishing. 2190bb7664SKees Cook 22*9d1bd9e8SKees CookThis is not a theoretical problem. `SSH session hijacking 23*9d1bd9e8SKees Cook<https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf>`_ 24*9d1bd9e8SKees Cookand `arbitrary code injection 25*9d1bd9e8SKees Cook<https://c-skills.blogspot.com/2007/05/injectso.html>`_ attacks already 2690bb7664SKees Cookexist and remain possible if ptrace is allowed to operate as before. 2790bb7664SKees CookSince ptrace is not commonly used by non-developers and non-admins, system 2890bb7664SKees Cookbuilders should be allowed the option to disable this debugging system. 2990bb7664SKees Cook 3090bb7664SKees CookFor a solution, some applications use ``prctl(PR_SET_DUMPABLE, ...)`` to 3190bb7664SKees Cookspecifically disallow such ptrace attachment (e.g. ssh-agent), but many 3290bb7664SKees Cookdo not. A more general solution is to only allow ptrace directly from a 3390bb7664SKees Cookparent to a child process (i.e. direct "gdb EXE" and "strace EXE" still 3490bb7664SKees Cookwork), or with ``CAP_SYS_PTRACE`` (i.e. "gdb --pid=PID", and "strace -p PID" 3590bb7664SKees Cookstill work as root). 3690bb7664SKees Cook 3790bb7664SKees CookIn mode 1, software that has defined application-specific relationships 3890bb7664SKees Cookbetween a debugging process and its inferior (crash handlers, etc), 3990bb7664SKees Cook``prctl(PR_SET_PTRACER, pid, ...)`` can be used. An inferior can declare which 4090bb7664SKees Cookother process (and its descendants) are allowed to call ``PTRACE_ATTACH`` 4190bb7664SKees Cookagainst it. Only one such declared debugging process can exists for 4290bb7664SKees Cookeach inferior at a time. For example, this is used by KDE, Chromium, and 4390bb7664SKees CookFirefox's crash handlers, and by Wine for allowing only Wine processes 4490bb7664SKees Cookto ptrace each other. If a process wishes to entirely disable these ptrace 4590bb7664SKees Cookrestrictions, it can call ``prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...)`` 4690bb7664SKees Cookso that any otherwise allowed process (even those in external pid namespaces) 4790bb7664SKees Cookmay attach. 4890bb7664SKees Cook 4990bb7664SKees CookThe sysctl settings (writable only with ``CAP_SYS_PTRACE``) are: 5090bb7664SKees Cook 5190bb7664SKees Cook0 - classic ptrace permissions: 5290bb7664SKees Cook a process can ``PTRACE_ATTACH`` to any other 5390bb7664SKees Cook process running under the same uid, as long as it is dumpable (i.e. 5490bb7664SKees Cook did not transition uids, start privileged, or have called 5590bb7664SKees Cook ``prctl(PR_SET_DUMPABLE...)`` already). Similarly, ``PTRACE_TRACEME`` is 5690bb7664SKees Cook unchanged. 5790bb7664SKees Cook 5890bb7664SKees Cook1 - restricted ptrace: 5990bb7664SKees Cook a process must have a predefined relationship 6090bb7664SKees Cook with the inferior it wants to call ``PTRACE_ATTACH`` on. By default, 6190bb7664SKees Cook this relationship is that of only its descendants when the above 6290bb7664SKees Cook classic criteria is also met. To change the relationship, an 6390bb7664SKees Cook inferior can call ``prctl(PR_SET_PTRACER, debugger, ...)`` to declare 6490bb7664SKees Cook an allowed debugger PID to call ``PTRACE_ATTACH`` on the inferior. 6590bb7664SKees Cook Using ``PTRACE_TRACEME`` is unchanged. 6690bb7664SKees Cook 6790bb7664SKees Cook2 - admin-only attach: 6831527da5SYves-Alexis Perez only processes with ``CAP_SYS_PTRACE`` may use ptrace, either with 6931527da5SYves-Alexis Perez ``PTRACE_ATTACH`` or through children calling ``PTRACE_TRACEME``. 7090bb7664SKees Cook 7190bb7664SKees Cook3 - no attach: 7290bb7664SKees Cook no processes may use ptrace with ``PTRACE_ATTACH`` nor via 7390bb7664SKees Cook ``PTRACE_TRACEME``. Once set, this sysctl value cannot be changed. 7490bb7664SKees Cook 7590bb7664SKees CookThe original children-only logic was based on the restrictions in grsecurity. 76