change coming with maverick's 2.6.34-5 kernels
kees at ubuntu.com
Tue Jun 1 18:03:27 BST 2010
On Mon, May 31, 2010 at 04:17:08PM +0100, Matthew Garrett wrote:
> On Sun, May 30, 2010 at 10:03:45PM -0700, Kees Cook wrote:
> > a) PTRACE of direct children only (protects credentials-of-the-past)
> Is this a realistic solution to the attack? If firefox is running
> arbitrary code then firefox is in a position where it can read or inject
> arbitrary input events. Wouldn't it make more sense for this to be
> something that's handled at a security policy level, ie only specific
> applications are permitted to ptrace and firefox isn't allowed to
> execute those applications?
Both AppArmor and SELinux contain PTRACE within a given profile/policy,
so yes, it is confined under those conditions. My concern is for stuff
that isn't covered by an LSM policy. A lot of those things tend to be
running on a desktop, as the same user, so this overlaps well.
As for input events, yes, a great deal of things can be spoofed from an
already compromised process. As Scott James Remnant pointed out in the
kernel-team thread on this patch, a compromised process could just
spawn a process directly and then PTRACE it to do further evil. All that
said, the change to PTRACE is really to protect already-running processes.
Stuff that have credentials, sessions, connections, etc already. Stopping
an attacker from jumping down already-established SSH connections, or
extracting my GPG key from a running gpg-agent. This stops an automated
attack, rather than one that requires applications to be restarted and
users potentially tricked, etc.
Ubuntu Security Team
More information about the ubuntu-devel