Re: SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:

> To a first approximation, simply auditing the distribution for anything 
> that opens files or reads information from the network and forbidding 
> them ptrace access (and denying ptrace access from any existing confined 
> domains except, maybe, staff_t) seems like it would get us most of the 
> way to option 4 without breaking existing user expectations. What am I 
> missing that makes this infeasible?

That would leave just "Hello, world!" style programs (as long as they
aren't in some way localized, like the GNU version is).
Dr. Horst H. von Brand                   User #22616
Departamento de Informatica                    Fono: +56 32 2654431
Universidad Tecnica Federico Santa Maria             +56 32 2654239
Casilla 110-V, Valparaiso, Chile 2340000       Fax:  +56 32 2797513
devel mailing list

[Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Fedora PHP Devel]     [Kernel List]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google Powered by Linux