SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Eric Paris
eparis at redhat.com
Mon Apr 9 13:38:40 UTC 2012
On Mon, 2012-04-09 at 00:31 +0200, Kevin Kofler wrote:
> It also
> breaks crash reporters such as DrKonqi (for DrKonqi, we work around this by
> disabling the flag in kde-runtime's %post script, but there are other
> similar debuggers in upstream software, some not packaged in Fedora)
I ask in the bug how DrKonqi works on other distros with the YAMA
security module enabled which implements a slightly different semantic
and didn't hear a response. I have patches which I will try to get into
the Fedora kernel later today that will allow us to seamlessly allow gdb
to trace children. gdb -p would still require disabling the boolean.
(Think about it a moment. gdb -p is the same as firefox trying to
ptrace gnome-keyring)
My understanding is that DrKonqi wants to be able to ptrace anything run
by the user. This is a scary idea. Please help me understand how
DrKonqi works on other distros which limit how user applications are
able to attack each other with the YAMA module and hopefully we can find
a similar was to rectify the situation in Fedora.
-Eric
More information about the devel
mailing list