SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Niels de Vos
devos at fedoraproject.org
Mon Apr 9 18:54:03 UTC 2012
On Mon, Apr 9, 2012 at 3:38 PM, Eric Paris <eparis at redhat.com> wrote:
> On Mon, 2012-04-09 at 00:31 +0200, Kevin Kofler wrote:
>> It also
>> breaks crash reporters such as DrKonqi (for DrKonqi, we work around this by
>> disabling the flag in kde-runtime's %post script, but there are other
>> similar debuggers in upstream software, some not packaged in Fedora)
>
> I ask in the bug how DrKonqi works on other distros with the YAMA
> security module enabled which implements a slightly different semantic
> and didn't hear a response. I have patches which I will try to get into
> the Fedora kernel later today that will allow us to seamlessly allow gdb
> to trace children. gdb -p would still require disabling the boolean.
> (Think about it a moment. gdb -p is the same as firefox trying to
> ptrace gnome-keyring)
>
> My understanding is that DrKonqi wants to be able to ptrace anything run
> by the user. This is a scary idea. Please help me understand how
> DrKonqi works on other distros which limit how user applications are
> able to attack each other with the YAMA module and hopefully we can find
> a similar was to rectify the situation in Fedora.
It seems that there is prctl() call to allow a specific PID (like gdb
stared by the signal-handler of DrKonqi) to trace the calling/crached
process. The idea comes from following the gdb discussion here:
- http://sourceware.org/ml/gdb-patches/2012-03/msg00274.html
HTH,
Niels
More information about the devel
mailing list