Expand harden_process: PR_SET_DUMPABLE=0, PR_SET_NO_NEW_PRIVS=1 on Linux (#61)

harden_process previously only called setrlimit(RLIMIT_CORE, 0). Two
low-cost Linux additions close meaningful attack surface:

- PR_SET_DUMPABLE=0: makes /proc/<pid>/mem readable only by root,
  not the same UID, and denies ptrace attach to non-root peers. The
  same-UID attacker who was the biggest residual threat against
  decrypted plaintext in process memory now loses their
  ptrace / /proc/mem handle.
- PR_SET_NO_NEW_PRIVS=1: an exec*() after this point can't inherit
  setuid or file-capabilities privileges. The enclave apps never
  setuid, and the wrapped child processes they spawn (npm, git,
  awscli) don't benefit from it either — so this is free.

Both are done via direct libc::prctl calls under #[allow(unsafe_code)]
with tracing::warn!-on-failure semantics matching the existing
setrlimit path. Linux-only (cfg(target_os = "linux")) — the prctl
calls don't exist elsewhere.

Still not applied: RLIMIT_AS, seccomp-bpf, macOS PT_DENY_ATTACH,
Windows SetProcessMitigationPolicy. Threat-model section rewritten
to describe the new posture and the remaining gaps.

Co-authored-by: Jay Gowdy <jay@gowdy.me>

Author: jgowdy-godaddy

THREAT_MODEL.md

@@ -112,7 +112,13 @@ Unsafe FFI surfaces are trusted by design but fragile.
 
 ### Process hardening scope
 
-`enclaveapp_core::process::harden_process()` (`crates/enclaveapp-core/src/process.rs`) currently only calls `disable_core_dumps` (`setrlimit(RLIMIT_CORE, 0)` on Unix; no-op on Windows). It does **not** apply `PR_SET_DUMPABLE=0`, `NO_NEW_PRIVS`, ptrace-blocking, `RLIMIT_AS`, or Windows `SetProcessMitigationPolicy`. A same-UID attacker can still `ptrace` into a running process and read decrypted plaintext in the window between hardware-decrypt and consumer handoff. Applications that want stricter memory protection must add their own mitigations on top.
+`enclaveapp_core::process::harden_process()` (`crates/enclaveapp-core/src/process.rs`) applies:
+
+- **All Unix:** `setrlimit(RLIMIT_CORE, 0)` — no core dumps.
+- **Linux:** `prctl(PR_SET_DUMPABLE, 0)` — `/proc/<pid>/mem` becomes root-only; `ptrace` attach from non-root peers is denied by the kernel even within the same UID.
+- **Linux:** `prctl(PR_SET_NO_NEW_PRIVS, 1)` — subsequent `exec*()` cannot gain setuid / file-capabilities privileges; shrinks the surface for wrapped-child-process escalation.
+
+Still not applied: `RLIMIT_AS`, seccomp-bpf system-call filtering, macOS `ptrace(PT_DENY_ATTACH)` (deprecated and fragile), and Windows `SetProcessMitigationPolicy`. Root can still dump memory unconditionally on any platform. Applications that want stricter memory protection must add their own mitigations on top.
 
 ### Zeroize coverage
 

crates/enclaveapp-core/src/process.rs

@@ -1,16 +1,28 @@
 //! Process-level security hardening.
 //!
 //! Call `harden_process()` early in `main()` to apply platform-appropriate
-//! protections: disable core dumps and lock secret memory pages.
+//! protections: disable core dumps, block ptrace-based memory reads on
+//! Linux, prevent privilege gain from setuid/fcaps (Linux), and lock
+//! secret memory pages.
 
 /// Apply process-level security hardening.
 ///
-/// - Disables core dumps (prevents secrets from appearing in crash dumps)
-/// - Should be called early in main() before any secrets are loaded
+/// - Disables core dumps (prevents secrets from appearing in crash dumps).
+/// - On Linux, sets `PR_SET_DUMPABLE=0` so `/proc/<pid>/mem` is only
+///   readable by root, not the same user, and ptrace attach is denied
+///   to non-root peers.
+/// - On Linux, sets `PR_SET_NO_NEW_PRIVS=1` so any `exec*()` after this
+///   point cannot gain privileges via setuid / file capabilities.
 ///
+/// Should be called early in main() before any secrets are loaded.
 /// Errors are logged but not fatal — hardening is best-effort.
 pub fn harden_process() {
     disable_core_dumps();
+    #[cfg(target_os = "linux")]
+    {
+        set_dumpable_zero();
+        set_no_new_privs();
+    }
 }
 
 /// Disable core dumps to prevent secrets from appearing in crash dumps.
@@ -39,6 +51,42 @@ fn disable_core_dumps() {
     // WER (Windows Error Reporting) settings control this globally.
 }
 
+/// Linux: set `PR_SET_DUMPABLE = 0`.
+///
+/// Prevents ptrace attach from non-root peers and makes `/proc/<pid>/mem`
+/// readable only by root. This closes the main in-memory attack vector
+/// against a running enclave-app process from a same-UID attacker.
+#[cfg(target_os = "linux")]
+#[allow(unsafe_code)]
+fn set_dumpable_zero() {
+    let result = unsafe { libc::prctl(libc::PR_SET_DUMPABLE, 0_u64, 0, 0, 0) };
+    if result != 0 {
+        tracing::warn!(
+            "failed to set PR_SET_DUMPABLE=0: {}",
+            std::io::Error::last_os_error()
+        );
+    }
+}
+
+/// Linux: set `PR_SET_NO_NEW_PRIVS = 1`.
+///
+/// Once set, subsequent `exec*()` calls cannot grant the child new
+/// privileges via setuid bits or file capabilities. The enclave apps
+/// do not rely on setuid execution, so the restriction is safe and
+/// shrinks the post-exec privilege-escalation surface for any child
+/// processes the app spawns (e.g. wrapped `npm`, `git`, `awscli`).
+#[cfg(target_os = "linux")]
+#[allow(unsafe_code)]
+fn set_no_new_privs() {
+    let result = unsafe { libc::prctl(libc::PR_SET_NO_NEW_PRIVS, 1_u64, 0, 0, 0) };
+    if result != 0 {
+        tracing::warn!(
+            "failed to set PR_SET_NO_NEW_PRIVS=1: {}",
+            std::io::Error::last_os_error()
+        );
+    }
+}
+
 /// Lock a memory region to prevent it from being paged to swap.
 ///
 /// Call this on buffers containing secrets. The memory will remain in RAM