Re: SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Le mardi 10 avril 2012 à 02:57 +0100, Matthew Garrett a écrit :
> On Mon, Apr 09, 2012 at 09:18:13PM -0400, Daniel J Walsh wrote:
> > On 04/09/2012 05:06 PM, Matthew Garrett wrote:
> > > On Mon, Apr 09, 2012 at 04:55:27PM -0400, Daniel J Walsh wrote:
> > > 
> > >> And guess what I use these tools, and I just execute setsebool
> > >> deny_ptrace 0 anytime I need to strace or debug an application, then I
> > >> turn it back on when I am done.
> > > 
> > > Are we able to determine that strace or gdb have been explicitly started by
> > > the user rather than from some more confined application?
> > > 
> > We already block ptrace from almost every confined domain other then user domains.
> 
> Ok, so if anything that's already a likely target of attack is unable to 
> initiate ptrace or start a process that can ptrace, what real extra 
> security do we gain by disabling it by default?

AFAIK, firefox is not running in a confined domain, and that's a
valuable target of attack. The same could be said of some others
applications ( like acroread, etc ).

-- 
Michael Scherer

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Fedora PHP Devel]     [Kernel List]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google Powered by Linux