crash handlers and PTRACE in Ubuntu 10.10

[Kees Cook]

Hi Serge,

On Thu, Jun 24, 2010 at 01:15:37PM -0500, Serge E. Hallyn wrote:
> Quoting Kees Cook (kees at ubuntu.com):
> > 5) "declared PTRACEing"
> >    Recognize that the PTRACEing we want to allow is in very specific
> >    declared situations (i.e. the PID of the debugger is always known by
> >    the debugee, so have the debugee "declare" that it wishes to be
> >    debugged).  This interface does not exist.  It would require the
> >    creation of something like:
> >         ptrace(PTRACE_TRACEDBY, debugger_pid, NULL, NULL);
> >    This would be, at least for now, an Ubuntu-specific extension.  For
> >    KDE applications, this is a trivial change, since the KDE crash
> >    handler stays in a while loop, calling sleep() until the debugger
> >    process quits.  Chromium would likely need to pass the debugger pid
> >    back through the segfault handler in the sandbox -- I got lost reading
> >    the syscall emulation-through-seccomp, so maybe it's as easy as KDE's.
> 
> While ptrace(PTRACE_TRACEDBY) is more elegant, if you were to use a
> new prctl option then your yama lsm could just handle that.  Whereas
> to have it handle PTRACE_TRACEDBY, I think you'd have to introduce a
> new lsm hook.

Oh hey, I didn't even notice that.  include/linux/security.h:
 * @task_prctl:
 *  Check permission before performing a process control operation on the
 *  current process.

\o/

Okay, well, it'll be a bit of a Linux (and Yama) specific hack for the
time-being, but I think this should be doable.  I'll get something
prepared for testing.

-Kees

-- 
Kees Cook
Ubuntu Security Team