electrum/electrum/harden_memory_linux.py

# Copyright (C) 2020 cptpcrd
# Copyright (C) 2025 The Electrum developers
# Distributed under the MIT software license, see the accompanying
# file LICENCE or http://www.opensource.org/licenses/mit-license.php
#
# based on https://github.com/cptpcrd/pyprctl/blob/578ed3e81066a8a61dede912454d5eeaef37eeea/pyprctl/ffi.py#L28
#
# This module tries to restrict the ability of other processes to access the memory of our process.
# Traditionally, on Linux, one process can access the memory of another arbitrary process
# if both are running as the same user (uid). (Root can ofc access the memory of ~any process)
# Programs can opt-out from this by setting prctl(PR_SET_DUMPABLE, 0);
#
# Besides PR_SET_DUMPABLE, there are ways to globally restrict this for all processes:
# 1. The Yama (Linux Security Module) ptrace scope can be used to reduce these permissions
#    This runtime kernel parameter can be set to the following options:
#      0 - Default attach security permissions.
#      1 - Restricted attach. Only child processes plus normal permissions.
#      2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
#      3 - No attach. No process may call ptrace at all. Irrevocable.
#    # Note: The default value of kernel.yama.ptrace_scope is distro-specific.
#    #       See `$ cat /proc/sys/kernel/yama/ptrace_scope`.
#    #       - ubuntu 22.04 sets it to 1 (see /etc/sysctl.d/10-ptrace.conf),
#    #       - debian 12 sets it to 0
#    #       - manjaro sets it to 1
# 2. SELinux: ptrace can be restricted by setting the selinux deny_ptrace boolean.
#
# For a quick test on your system, try:
#   $ cat /proc/$$/mem > /dev/null
#   cat: /proc/4907/mem: Permission denied
# Getting "Permission denied" means access failed, "Input/output error" means access succeeded.

import ctypes
import ctypes.util
import os
import sys
from typing import Optional

from .logging import get_logger


_logger = get_logger(__name__)

PR_GET_DUMPABLE = 3
PR_SET_DUMPABLE = 4


_libc = None  # type: Optional[ctypes.CDLL]
def _load_libc():
    global _libc
    if _libc is not None:
        return
    #assert sys.platform == "linux", sys.platform
    # note: find_library can raise FileNotFoundError(OSError), see https://github.com/python/cpython/issues/93094
    _libc_path = ctypes.util.find_library("c")
    _libc = ctypes.CDLL(_libc_path, use_errno=True)
    _libc.prctl.argtypes = (ctypes.c_int, ctypes.c_ulong, ctypes.c_ulong, ctypes.c_ulong, ctypes.c_ulong)
    _libc.prctl.restype = ctypes.c_int


def set_dumpable(flag: bool) -> None:
    """Set the "dumpable" attribute on the current process.
    This controls whether a core dump will be produced if the process receives a signal whose
    default behavior is to produce a core dump.
    In addition, processes that are not dumpable cannot be attached with ptrace() PTRACE_ATTACH.

    In effect, another process running as the same user as us can read our memory if we are dumpable.
    """
    _load_libc()
    res = _libc.prctl(PR_SET_DUMPABLE, int(bool(flag)), 0, 0, 0)
    if res < 0:
        eno = ctypes.get_errno()
        raise OSError(eno, os.strerror(eno), None, None, None)


def set_dumpable_safe(flag: bool) -> None:
    try:
        _load_libc()
    except Exception as e:
        _logger.exception("error loading libc")
        return
    assert _libc is not None
    try:
        set_dumpable(flag)
    except OSError as e:
        _logger.error(f"libc.prctl(PR_SET_DUMPABLE, {flag}) errored: {e}")


def get_dumpable() -> bool:
    _load_libc()
    res = _libc.prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)
    if res < 0:
        eno = ctypes.get_errno()
        raise OSError(eno, os.strerror(eno), None, None, None)
    return res != 0