change coming with maverick's 2.6.34-5 kernels

[Kees Cook]

On Mon, May 31, 2010 at 04:17:08PM +0100, Matthew Garrett wrote:
> On Sun, May 30, 2010 at 10:03:45PM -0700, Kees Cook wrote:
> 
> >  a) PTRACE of direct children only (protects credentials-of-the-past)
> 
> Is this a realistic solution to the attack? If firefox is running 
> arbitrary code then firefox is in a position where it can read or inject 
> arbitrary input events. Wouldn't it make more sense for this to be 
> something that's handled at a security policy level, ie only specific 
> applications are permitted to ptrace and firefox isn't allowed to 
> execute those applications?

Both AppArmor and SELinux contain PTRACE within a given profile/policy,
so yes, it is confined under those conditions.  My concern is for stuff
that isn't covered by an LSM policy.  A lot of those things tend to be
running on a desktop, as the same user, so this overlaps well.

As for input events, yes, a great deal of things can be spoofed from an
already compromised process.  As Scott James Remnant pointed out in the
kernel-team thread[1] on this patch, a compromised process could just
spawn a process directly and then PTRACE it to do further evil.  All that
said, the change to PTRACE is really to protect already-running processes.
Stuff that have credentials, sessions, connections, etc already.  Stopping
an attacker from jumping down already-established SSH connections, or
extracting my GPG key from a running gpg-agent.  This stops an automated
attack, rather than one that requires applications to be restarted and
users potentially tricked, etc.

-Kees

[1] https://lists.ubuntu.com/archives/kernel-team/2010-May/010502.html

-- 
Kees Cook
Ubuntu Security Team