On Wed, May 9, 2012 at 1:43 AM, Brad Spengler <[email protected]> wrote:
> Hi guys,
>
> I'm writing to report this before the recent release sees more
> widespread use. I've already had one report from a user of strace v4.7
> failing on a grsecurity kernel when run with the -f argument. Strace
> (due to what IMO is a bug) is randomly conflicting with a feature of
> grsecurity that prevents ptracing processes other than one's decendents.
> Since Ubuntu's kernel carries the same logic/algorithm as grsecurity
> through the Yama module, strace will likewise fail on their kernels.
>
> I've investigated the problem a bit. The failing code (in strace.c) is:
> if (tracee_pid != pid) {
> found_grandchild = tracee_pid;
> if (ptrace(PTRACE_CONT, tracee_pid, 0, 0) < 0) {
> kill_save_errno(tracee_pid, SIGKILL);
> kill_save_errno(pid, SIGKILL);
> perror_msg_and_die("PTRACE_CONT doesn't work");
> }
> continue;
> }
This code senses that grandchild was found in stopped state.
It sends PTRACE_CONT to grandchild.
What operation fails? PTRACE_CONT?
> This happens because of the raciness of the following code (in strace.c):
> if (pid == 0) {
> pid = getpid();
> if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0)
> perror_msg_and_die("%s: PTRACE_TRACEME doesn't work",
> __func__);
> kill_save_errno(pid, SIGSTOP);
> if (fork() < 0)
> perror_msg_and_die("fork");
> _exit(0);
> }
>
> Sometimes the child exits before the PTRACE_CONT is issued against the
> grandchild, while other times the child exits after. If the child exits
> after, there are no issues, as the grandchild keeps its descendent
> relation to the ptracing grandparent. If the child exits before,
> however, it gets reparented to init, breaking the ability to walk back
> through the ancestors of the grandchild to reach the (previous)
> grandparent. Because of this, grsecurity (and Ubuntu) will deny the
> ptrace to the grandchild.
Are you saying that grsecurity may deny ptrace commands to be sent
to an already-attached tracee??? (As opposed to "grsecurity
denies attaching to a process who isn't our descendant").
If yes, then it sounds like a misfeature in grsecurity.
--
vda
>
> Let me know if you need straces of the failing and successful cases in
> order to fix the bug, but it should be as simple as adding a wait
> before exiting out of the child.
>
> Thanks,
> -Brad
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAk+pr6AACgkQmHm2SUJF1GoB5QCgiOaVNJWVjDqJjfNrS0B5pxtr
> PUQAn1Qpfp5fla4D71StqphlUuIvWiRt
> =tyUJ
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Strace-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/strace-devel
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Strace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/strace-devel
