diff options
author | Jesse Luehrs <doy@tozt.net> | 2021-02-27 21:54:10 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-02-27 21:54:10 -0500 |
commit | 194e0fcbbad9d6496e6c5a653064824201163002 (patch) | |
tree | 88ed83f749c0618e9162da3d5e5ee16f23b93c14 | |
parent | 4913fb0af033714841c5e8189f41f10003d336d4 (diff) | |
parent | ed07bee4a8a9cf7b1cf7b5c8c5d3615ebe0d9404 (diff) | |
download | rbw-194e0fcbbad9d6496e6c5a653064824201163002.tar.gz rbw-194e0fcbbad9d6496e6c5a653064824201163002.zip |
Merge pull request #42 from oranenj/linux-disallow-ptrace
Use prctl in rbw-agent on Linux to prevent PTRACE_ATTACH
-rw-r--r-- | src/bin/rbw-agent/main.rs | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/bin/rbw-agent/main.rs b/src/bin/rbw-agent/main.rs index 88dd453..81090e5 100644 --- a/src/bin/rbw-agent/main.rs +++ b/src/bin/rbw-agent/main.rs @@ -59,7 +59,26 @@ fn real_main() -> anyhow::Result<()> { Ok(()) } +const PR_SET_DUMPABLE: i32 = 4; + +#[cfg(target_os = "linux")] +fn disable_tracing() { + let ret = unsafe { libc::prctl(PR_SET_DUMPABLE, 0) }; + if ret != 0 { + println!("rbw-agent: Failed to disable PTRACE_ATTACH. Agent memory may be dumpable by other processes."); + } +} + +#[cfg(not(target_os = "linux"))] +fn disable_tracing() { + println!("rbw-agent: Unable to disable PTRACE_ATTACH on this platform: not implemented. Agent memory may be dumpable by other processes."); +} + fn main() { + // Prevent other user processes from attaching to the rbw agent and dumping memory + // This is not perfect protection, but closes a door. Unfortunately, prctl only works + // on Linux. + disable_tracing(); let res = real_main(); if let Err(e) = res { |