crash handlers and PTRACE in Ubuntu 10.10

[Kees Cook]

On Thu, Jun 24, 2010 at 11:34:33AM -0700, Kees Cook wrote:
> On Thu, Jun 24, 2010 at 01:15:37PM -0500, Serge E. Hallyn wrote:
> > Quoting Kees Cook (kees at ubuntu.com):
> > > 5) "declared PTRACEing"
> > >    Recognize that the PTRACEing we want to allow is in very specific
> > >    declared situations (i.e. the PID of the debugger is always known by
> > >    the debugee, so have the debugee "declare" that it wishes to be
> > >    debugged).  This interface does not exist.  It would require the
> > >    creation of something like:
> > >         ptrace(PTRACE_TRACEDBY, debugger_pid, NULL, NULL);
> > >    This would be, at least for now, an Ubuntu-specific extension.  For
> > >    KDE applications, this is a trivial change, since the KDE crash
> > >    handler stays in a while loop, calling sleep() until the debugger
> > >    process quits.  Chromium would likely need to pass the debugger pid
> > >    back through the segfault handler in the sandbox -- I got lost reading
> > >    the syscall emulation-through-seccomp, so maybe it's as easy as KDE's.
> > 
> > While ptrace(PTRACE_TRACEDBY) is more elegant, if you were to use a
> > new prctl option then your yama lsm could just handle that.  Whereas
> > to have it handle PTRACE_TRACEDBY, I think you'd have to introduce a
> > new lsm hook.
> 
> Okay, well, it'll be a bit of a Linux (and Yama) specific hack for the
> time-being, but I think this should be doable.  I'll get something
> prepared for testing.

Okay, this is ready now, and should be testable with the -7 and later
Maverick kernels:

	prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);

I've done this for KDE[1], and commented on the Chromium bug[2].

-Kees

[1] http://bazaar.launchpad.net/~kubuntu-members/kdelibs/ubuntu/annotate/head:/debian/patches/kubuntu_69_declare_debugger_pid.diff
[2] http://code.google.com/p/chromium/issues/detail?id=46368

-- 
Kees Cook
Ubuntu Security Team