Discussion:
Permission Changes for ptrace in Kitkat?
Holger Ihrig
2013-12-11 15:23:19 UTC
Permalink
Hi everyone,
I hope this is the right ML to ask this question. I am working on an App
for Android and I recently got a problem running it on Kitkat.
For Android 4.4 it seems that ptrace has been disallowed maybe by SELinux
implementation. When calling ptrace(PTRACE_TRACEME, 0, 0, 0) to prevent a
debugger from attaching, it returns -1. When I am running this through
adb-shell ptrace() it works as expected.
Does anyone know if there has been changes in regards to this? Is there a
way to reenable the correct behaviour for ptrace or some other way to
disallow attaching ptrace to the application?
Any clarification on this would be highly appreciated.
BR
Holger
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
To post to this group, send email to android-security-***@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
Nick Kralevich
2013-12-11 17:07:35 UTC
Permalink
What errno are you seeing when ptrace(PTRACE_TRACEME) returns -1?

-- Nick
Post by Holger Ihrig
Hi everyone,
I hope this is the right ML to ask this question. I am working on an App
for Android and I recently got a problem running it on Kitkat.
For Android 4.4 it seems that ptrace has been disallowed maybe by SELinux
implementation. When calling ptrace(PTRACE_TRACEME, 0, 0, 0) to prevent a
debugger from attaching, it returns -1. When I am running this through
adb-shell ptrace() it works as expected.
Does anyone know if there has been changes in regards to this? Is there a
way to reenable the correct behaviour for ptrace or some other way to
disallow attaching ptrace to the application?
Any clarification on this would be highly appreciated.
BR
Holger
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
To post to this group, send email to
Visit this group at
http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
--
Nick Kralevich | Android Security | ***@google.com | 650.214.4037
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
To post to this group, send email to android-security-***@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
Nick Kralevich
2013-12-11 17:12:28 UTC
Permalink
Does it work if you add:

prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);

before the call to ptrace(PTRACE_TRACEME)

?
Post by Nick Kralevich
What errno are you seeing when ptrace(PTRACE_TRACEME) returns -1?
-- Nick
Post by Holger Ihrig
Hi everyone,
I hope this is the right ML to ask this question. I am working on an App
for Android and I recently got a problem running it on Kitkat.
For Android 4.4 it seems that ptrace has been disallowed maybe by SELinux
implementation. When calling ptrace(PTRACE_TRACEME, 0, 0, 0) to prevent a
debugger from attaching, it returns -1. When I am running this through
adb-shell ptrace() it works as expected.
Does anyone know if there has been changes in regards to this? Is there
a way to reenable the correct behaviour for ptrace or some other way to
disallow attaching ptrace to the application?
Any clarification on this would be highly appreciated.
BR
Holger
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
To post to this group, send email to
Visit this group at
http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
--
--
Nick Kralevich | Android Security | ***@google.com | 650.214.4037
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
To post to this group, send email to android-security-***@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
Holger Ihrig
2013-12-12 11:51:55 UTC
Permalink
Hi Nick,

I tried the prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); and it did not change
anything.
As for the errno I am getting 13 Permission Denied.

-- Holger
Post by Holger Ihrig
Hi everyone,
I hope this is the right ML to ask this question. I am working on an App
for Android and I recently got a problem running it on Kitkat.
For Android 4.4 it seems that ptrace has been disallowed maybe by SELinux
implementation. When calling ptrace(PTRACE_TRACEME, 0, 0, 0) to prevent a
debugger from attaching, it returns -1. When I am running this through
adb-shell ptrace() it works as expected.
Does anyone know if there has been changes in regards to this? Is there a
way to reenable the correct behaviour for ptrace or some other way to
disallow attaching ptrace to the application?
Any clarification on this would be highly appreciated.
BR
Holger
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
To post to this group, send email to android-security-***@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
'Nick Kralevich' via Android Security Discussions
2014-07-08 03:25:24 UTC
Permalink
This post might be inappropriate. Click to display it.
'Nick Kralevich' via Android Security Discussions
2014-07-08 03:31:03 UTC
Permalink
Post by 'Nick Kralevich' via Android Security Discussions
I realized I never replied to this e-mail. My apologies for the delayed
response.
1) You must have the same UID / GID / etc as your parent; or
2) Your parent must have CAP_SYS_PTRACE
(See
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/kernel/ptrace.c?id=refs/tags/v3.4.74
lines 247-258).
In 4.3, zygote was running unconfined as root, which naturally has
CAP_SYS_PTRACE. As a result, zygote had the capability to trace any
process, and zygote's children could happily ask for PTRACE_TRACEME and
have it work. Zygote would never actually attempt to trace a process, but
it was over privileged and had the capability.
In 4.4, the Android zygote process was moved into SELinux enforcing mode,
with the following policy
https://android.googlesource.com/platform/external/sepolicy/+/android-4.4.2_r1/zygote.te
In particular, note that zygote DOES NOT have the CAP_SYS_PTRACE
capability. Without this capability, an attempt by a child to ask it's
parent to trace it is denied. That's why prctl(PR_SET_DUMPABLE) returns
EPERM.
OOPS. Not prctl, but ptrace(PTRACE_TRACEME, 0, 0, 0) returns EPERM.
Post by 'Nick Kralevich' via Android Security Discussions
*PTRACE_TRACEME*
*Indicates that this process is to be traced by its parent. Any
signal (except SIGKILL) delivered to this process cause it to stop and its
parent to be notified via wait(2). Also, all subsequent calls to execve(2)
by this process will cause a SIGTRAP to be sent to it, giving the parent a
chance to gain control before the new program begins execution. A process
probably shouldn't make this request if its parent isn't expecting to
trace it. (pid, addr, and data are ignored.)*
Zygote has no desire to actually trace a process, which is why it doesn't
have CAP_SYS_PTRACE. Apps asking for PTRACE_TRACEME are using an
unsupported anti-debugging technique which doesn't work on Android 4.4 and
above.
-- Nick
Post by Holger Ihrig
Hi Nick,
I tried the prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); and it did not change
anything.
As for the errno I am getting 13 Permission Denied.
-- Holger
Post by Holger Ihrig
Hi everyone,
I hope this is the right ML to ask this question. I am working on an
App for Android and I recently got a problem running it on Kitkat.
For Android 4.4 it seems that ptrace has been disallowed maybe by
SELinux implementation. When calling ptrace(PTRACE_TRACEME, 0, 0, 0) to
prevent a debugger from attaching, it returns -1. When I am running this
through adb-shell ptrace() it works as expected.
Does anyone know if there has been changes in regards to this? Is
there a way to reenable the correct behaviour for ptrace or some other way
to disallow attaching ptrace to the application?
Any clarification on this would be highly appreciated.
BR
Holger
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
To post to this group, send email to
Visit this group at
http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
--
--
Nick Kralevich | Android Security | ***@google.com | 650.214.4037
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
To post to this group, send email to android-security-***@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
Loading...