[PATCH] SELinux: apply a different permission to ptrace a child vs non-child
Justin M. Forbes
jmforbes at linuxtx.org
Mon Apr 9 18:49:14 UTC 2012
On Mon, Apr 09, 2012 at 01:13:06PM -0400, Eric Paris wrote:
> On Mon, 2012-04-09 at 12:40 -0400, Josh Boyer wrote:
> > On Mon, Apr 09, 2012 at 09:59:18AM -0400, Eric Paris wrote:
> > > Some applications, like gdb, are able to ptrace both children or other
> > > completely unrelated tasks. We would like to be able to discern these two
> > > things and to be able to allow gdb to ptrace it's children, but not to be
> > > able to ptrace unrelated tasks for security reasons.
> > >
> > > Upstream is a bit weary of this patch as it may be incomplete. They are
> > > not fundamentally opposed to the patch, I was just ask to see if I could
> > > flush out any needed refinement in Fedora where we already had the
> > > problem. We may find that we need to emulate the YAMA non-child
> > I'd be comfortable doing that kind of flushing out in rawhide, but
> > I'm kinda hesitant for doing it in F17. Which leads to...
I will add it to the next rawhide builds and see how it shakes out.
More information about the kernel