Re: SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
[...]

> To a first approximation, simply auditing the distribution for anything 
> that opens files or reads information from the network and forbidding 
> them ptrace access (and denying ptrace access from any existing confined 
> domains except, maybe, staff_t) seems like it would get us most of the 
> way to option 4 without breaking existing user expectations. What am I 
> missing that makes this infeasible?

That would leave just "Hello, world!" style programs (as long as they
aren't in some way localized, like the GNU version is).
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                    Fono: +56 32 2654431
Universidad Tecnica Federico Santa Maria             +56 32 2654239
Casilla 110-V, Valparaiso, Chile 2340000       Fax:  +56 32 2797513
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Fedora PHP Devel]     [Kernel List]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google Powered by Linux