This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/126203/

On November 30th, 2015, 10:34 a.m. EET, Tobias Berner wrote:

I think FreeBSD 10 introduced a similar interface in r277322 https://svnweb.freebsd.org/base?view=revision&revision=277322 Though it is explicitely stated to not be a "security feature".

According to the man page of progctl https://www.freebsd.org/cgi/man.cgi?query=procctl&apropos=0&sektion=2&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html this would be PROC_TRACE_CTL with data PROC_TRACE_CTL_DISABLE.

I will have to ask someone more familiar with that.

On November 30th, 2015, 10:43 a.m. EET, Martin Gräßlin wrote:

how do I get kwin to output the debug output for the framebuffer backend, with qcdebug lines,

Given the notes on it, that seems fine. It's not my intention to protect against kernel or root.

On November 30th, 2015, 12:22 p.m. EET, Raphael Kubo da Costa wrote:

From a non-Linux perspective, it would be good if there was a CMake check for prctl() and PR_SET_DUMPABLE/PROC_TRACE_CTL with a big warning in case none was found. The oldest supported FreeBSD release (9.x) will be supported until the end of 2016 and it does not have this functionality, and neither do {Net,DragonFly,Open}BSD, so adding the calls without additional checks will just create additional problems for those packaging kscreenlocker for those platforms, and I doubt they will be able to add a replaceme nt for this without help from their kernel (and existing releases would still be broken).

On November 30th, 2015, 5:41 p.m. EET, Martin Gräßlin wrote:

The CMake check seems like a good idea to me - this also allows to make a nice HAVE_PRCTL_DUMPABABLE flag which I would prefer over QOSLINUX or something like that. Anybody know how to write such a check? I assume trying to compile and check whether it compiles?

I think so. Something like this (untested):
include(CheckIncludeFile)
include(CheckSymbolExists)

check_include_file("sys/prctl.h" HAVE_SYS_PRCTL_H)
check_symbol_exists(PR_SET_DUMPABLE "sys/prctl.h" HAVE_PR_SET_DUMPABLE)

check_include_file("sys/procctl.h" HAVE_SYS_PROCCTL_H)
check_symbol_exists(PROC_TRACE_CTL "sys/procctl.h" HAVE_PROC_TRACE_CTL)

if (NOT HAVE_PR_SET_DUMPABLE OR NOT HAVE_PROC_TRACE_CTL)
  message(WARNING "Support for disabling ptrace(2) and core dumps via prctl/procctl is not available. <scary message here>.")
endif ()

configure_file(...)


It's unfortunate that the naming could not be standardized, as now one needs to check for those macros and call different functions with different arguments depending on their values.

- Raphael

On November 30th, 2015, 10:01 a.m. EET, Martin Gräßlin wrote:

Review request for Plasma and Tobias Berner.

By Martin Gräßlin.

Updated Nov. 30, 2015, 10:01 a.m.

Repository: kscreenlocker

Description

Setting the PR_SET_DUMPABLE flag to 0 for the security relevant command kcheckpass and kscreenlocker_greet. If one wants to gdb into the running command it will result in:

ptrace: Operation not permitted.

For kscreenlocker_greet ptrace is permitted in testing mode.

As root it's still possible to attach to the process.

@Tobias: I assume this is a strong linux-ism. Is there a FreeBSD compareable functionality?

I'm considering to push this explicitly without an ifdef. It's a new security feature and I want to make non-Linux systems aware of the fact that it adds a new feature and that a replacement should be added.

Testing

Tried to gdb into the processes: failed Tried to gdb into kscreenlocker_greet --testing: succeeded Tried to gdb into kscreenlocker_greet as root: succeeded

Diffs

greeter/main.cpp (e4e679e7ef40b319665428281fdba5f4e0b4eb25)
kcheckpass/kcheckpass.c (fd2d2215bf2199f159a121bb0ce08e7b2b254aaa)

View Diff