SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Matthew Garrett
mjg at redhat.com
Tue Apr 10 01:57:54 UTC 2012
On Mon, Apr 09, 2012 at 09:18:13PM -0400, Daniel J Walsh wrote:
> On 04/09/2012 05:06 PM, Matthew Garrett wrote:
> > On Mon, Apr 09, 2012 at 04:55:27PM -0400, Daniel J Walsh wrote:
> >
> >> And guess what I use these tools, and I just execute setsebool
> >> deny_ptrace 0 anytime I need to strace or debug an application, then I
> >> turn it back on when I am done.
> >
> > Are we able to determine that strace or gdb have been explicitly started by
> > the user rather than from some more confined application?
> >
> We already block ptrace from almost every confined domain other then user domains.
Ok, so if anything that's already a likely target of attack is unable to
initiate ptrace or start a process that can ptrace, what real extra
security do we gain by disabling it by default?
--
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the devel
mailing list