use PT_DENY_ATTACH on Mac OS X

Peter Moody mindrot at hda3.com
Tue Nov 1 08:06:47 AEDT 2016 

sgtm

for some reason I thought you were already doing this.

On Tue, Oct 25, 2016 at 5:30 PM, Darren Tucker <dtucker at zip.com.au> wrote:
> Hi.
>
> Mac OS X has a PT_DENY_ATTACH argument to ptrace(2) which does what
> it says on the tin:
>
>  PT_DENY_ATTACH
>            This request is the other operation used by the traced
>            process; it allows a process that is not currently being
>            traced to deny future traces by its parent.  All other
>            arguments are ignored.  If the process is currently being
>            traced, it will exit with the exit status of ENOTSUP; oth-
>            erwise, it sets a flag that denies future traces.  An
>            attempt by the parent to trace a process which has set this
>            flag will result in a segmentation violation in the parent
>
> Any reason not to use it in platform_disable_tracing() ?
>
> diff --git a/configure.ac b/configure.ac
> index f5e1378..88c4633 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -405,6 +405,7 @@ AC_CHECK_HEADERS([ \
>         sys/poll.h \
>         sys/prctl.h \
>         sys/pstat.h \
> +       sys/ptrace.h \
>         sys/select.h \
>         sys/stat.h \
>         sys/stream.h \
> diff --git a/platform-tracing.c b/platform-tracing.c
> index 81020e7..4c80a28 100644
> --- a/platform-tracing.c
> +++ b/platform-tracing.c
> @@ -20,6 +20,9 @@
>  #if defined(HAVE_SYS_PRCTL_H)
>  #include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
>  #endif
> +#ifdef HAVE_SYS_PTRACE_H
> +#include <sys/ptrace.h>
> +#endif
>  #ifdef HAVE_PRIV_H
>  #include <priv.h> /* For setpflags() and __PROC_PROTECT  */
>  #endif
> @@ -40,4 +43,9 @@ platform_disable_tracing(int strict)
>         if (setpflags(__PROC_PROTECT, 1) != 0 && strict)
>                 fatal("unable to make the process untraceable");
>  #endif
> +#ifdef PT_DENY_ATTACH
> +       /* Mac OS X */
> +       if (ptrace(PT_DENY_ATTACH, 0, 0, 0) == -1 && strict)
> +               fatal("unable to set PT_DENY_ATTACH");
> +#endif
>  }
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list