[PATCH] SELinux: apply a different permission to ptrace a child vs non-child

Eric Paris eparis at redhat.com
Mon Apr 9 17:13:06 UTC 2012 

On Mon, 2012-04-09 at 12:40 -0400, Josh Boyer wrote:
> On Mon, Apr 09, 2012 at 09:59:18AM -0400, Eric Paris wrote:
> > Some applications, like gdb, are able to ptrace both children or other
> > completely unrelated tasks.  We would like to be able to discern these two
> > things and to be able to allow gdb to ptrace it's children, but not to be
> > able to ptrace unrelated tasks for security reasons.
> > 
> > Upstream is a bit weary of this patch as it may be incomplete.  They are
> > not fundamentally opposed to the patch, I was just ask to see if I could
> > flush out any needed refinement in Fedora where we already had the
> > problem.  We may find that we need to emulate the YAMA non-child
> 
> I'd be comfortable doing that kind of flushing out in rawhide, but
> I'm kinda hesitant for doing it in F17.  Which leads to...
> 
> > registration module in order to completely deal with 'normal' ptrace on
> > a system.  At the moment however, this patch will at least let us get
> > gdb working for many users in Fedora (See fedora-devel-list for a
> > discussion of the current issues people are complaining about in F17
> > without this)
> 
> ... the fact that people are really complaining about the deny_ptrace
> feature entirely.  It's Feature page was drafted and presented to FESCo
> saying it would default to off.  Dan recently said he'd abide by that,
> even though it seems the intention was to leave it on.

The feature page was obviously miswritten, but at this point the intent
now is to reduce system security close to the last minute.  Giving us as
much time as possible to shake out the problems for those users which
will want to turn this on.  99% of people aren't going to want firefox
to be able to use ptrace to steal all their passwords from the
gnome-keyring, yet that exactly what can happen today.  Hopefully some
of them (including me) will leave this on in F17.  I'd advocate putting
this patch in F17 and rawhide as users who decide to turn it on in F17
will have problems.

More information about the kernel mailing list