On Mon, Jul 7, 2014 at 8:25 PM, Nick Kralevich <[email protected]> wrote:
> > I realized I never replied to this e-mail. My apologies for the delayed > response. > > To use PTRACE_TRACEME, one of two conditions must be met: > > 1) You must have the same UID / GID / etc as your parent; or > 2) Your parent must have CAP_SYS_PTRACE > > (See > https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/kernel/ptrace.c?id=refs/tags/v3.4.74 > lines 247-258). > > In 4.3, zygote was running unconfined as root, which naturally has > CAP_SYS_PTRACE. As a result, zygote had the capability to trace any > process, and zygote's children could happily ask for PTRACE_TRACEME and > have it work. Zygote would never actually attempt to trace a process, but > it was over privileged and had the capability. > > In 4.4, the Android zygote process was moved into SELinux enforcing mode, > with the following policy > > > https://android.googlesource.com/platform/external/sepolicy/+/android-4.4.2_r1/zygote.te > > In particular, note that zygote DOES NOT have the CAP_SYS_PTRACE > capability. Without this capability, an attempt by a child to ask it's > parent to trace it is denied. That's why prctl(PR_SET_DUMPABLE) returns > EPERM. > OOPS. Not prctl, but ptrace(PTRACE_TRACEME, 0, 0, 0) returns EPERM. > > Quoting the "man ptrace" manpage: > > *PTRACE_TRACEME* > > *Indicates that this process is to be traced by its parent. Any > signal (except SIGKILL) delivered to this process cause it to stop and its > parent to be notified via wait(2). Also, all subsequent calls to execve(2) > by this process will cause a SIGTRAP to be sent to it, giving the parent a > chance to gain control before the new program begins execution. A process > probably shouldn't make this request if its parent isn't expecting to > trace it. (pid, addr, and data are ignored.)* > > > Zygote has no desire to actually trace a process, which is why it doesn't > have CAP_SYS_PTRACE. Apps asking for PTRACE_TRACEME are using an > unsupported anti-debugging technique which doesn't work on Android 4.4 and > above. > > -- Nick > > On Thu, Dec 12, 2013 at 3:51 AM, Holger Ihrig <[email protected]> > wrote: > >> Hi Nick, >> >> I tried the prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); and it did not change >> anything. >> As for the errno I am getting 13 Permission Denied. >> >> -- Holger >> >> On Wednesday, December 11, 2013 4:23:19 PM UTC+1, Holger Ihrig wrote: >> >>> Hi everyone, >>> I hope this is the right ML to ask this question. I am working on an >>> App for Android and I recently got a problem running it on Kitkat. >>> For Android 4.4 it seems that ptrace has been disallowed maybe by >>> SELinux implementation. When calling ptrace(PTRACE_TRACEME, 0, 0, 0) to >>> prevent a debugger from attaching, it returns -1. When I am running this >>> through adb-shell ptrace() it works as expected. >>> Does anyone know if there has been changes in regards to this? Is >>> there a way to reenable the correct behaviour for ptrace or some other way >>> to disallow attaching ptrace to the application? >>> Any clarification on this would be highly appreciated. >>> BR >>> Holger >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to >> [email protected]. >> Visit this group at >> http://groups.google.com/group/android-security-discuss. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > > > -- > Nick Kralevich | Android Security | [email protected] | 650.214.4037 > -- Nick Kralevich | Android Security | [email protected] | 650.214.4037 -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
