Re: SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

Michael Scherer <misc@xxxxxxxx> · Tue, 10 Apr 2012 11:27:12 +0200

Le mardi 10 avril 2012 à 02:57 +0100, Matthew Garrett a écrit :
> On Mon, Apr 09, 2012 at 09:18:13PM -0400, Daniel J Walsh wrote:
> > On 04/09/2012 05:06 PM, Matthew Garrett wrote:
> > > On Mon, Apr 09, 2012 at 04:55:27PM -0400, Daniel J Walsh wrote:
> > > 
> > >> And guess what I use these tools, and I just execute setsebool
> > >> deny_ptrace 0 anytime I need to strace or debug an application, then I
> > >> turn it back on when I am done.
> > > 
> > > Are we able to determine that strace or gdb have been explicitly started by
> > > the user rather than from some more confined application?
> > > 
> > We already block ptrace from almost every confined domain other then user domains.
> 
> Ok, so if anything that's already a likely target of attack is unable to 
> initiate ptrace or start a process that can ptrace, what real extra 
> security do we gain by disabling it by default?

AFAIK, firefox is not running in a confined domain, and that's a
valuable target of attack. The same could be said of some others
applications ( like acroread, etc ).

-- 
Michael Scherer

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel