On Fri, 2007-01-19 at 11:11 -0800, Ulrich Drepper wrote:
Stephen Smalley wrote:
> In the future, I'd like to see proc permission checking revised to
> distinguish read-only access to process state vs. full ptrace access.
That would have to be much more detailed than just read/writer vs
read-only. ptrace reads can leak information (especially a no-no for
MLS but also for normal operation). For instance, you don't want to
allow poking a process to get randomization values/seeds like the one
used for pointer encryption.
So, you'd have to go into great detail and maybe even split the
functionality of a single ptrace or /proc operation in minute parts
which might or might not be allowed.
Understood, but the current situation leads to overly permissive policy
(or excessive use of dontaudits and limited functionality) just to give
some visibility into the process state. Having to allow domain A full
ptrace control over domain B just to let domain A see some of domain
B's /proc/pid state is overkill.
--
Stephen Smalley
National Security Agency