SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Michael Scherer
misc at zarb.org
Tue Apr 10 09:27:12 UTC 2012
Le mardi 10 avril 2012 à 02:57 +0100, Matthew Garrett a écrit :
> On Mon, Apr 09, 2012 at 09:18:13PM -0400, Daniel J Walsh wrote:
> > On 04/09/2012 05:06 PM, Matthew Garrett wrote:
> > > On Mon, Apr 09, 2012 at 04:55:27PM -0400, Daniel J Walsh wrote:
> > >
> > >> And guess what I use these tools, and I just execute setsebool
> > >> deny_ptrace 0 anytime I need to strace or debug an application, then I
> > >> turn it back on when I am done.
> > >
> > > Are we able to determine that strace or gdb have been explicitly started by
> > > the user rather than from some more confined application?
> > >
> > We already block ptrace from almost every confined domain other then user domains.
>
> Ok, so if anything that's already a likely target of attack is unable to
> initiate ptrace or start a process that can ptrace, what real extra
> security do we gain by disabling it by default?
AFAIK, firefox is not running in a confined domain, and that's a
valuable target of attack. The same could be said of some others
applications ( like acroread, etc ).
--
Michael Scherer
More information about the devel
mailing list