SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Horst H. von Brand
vonbrand at inf.utfsm.cl
Tue Apr 10 14:26:50 UTC 2012
Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
[...]
> To a first approximation, simply auditing the distribution for anything
> that opens files or reads information from the network and forbidding
> them ptrace access (and denying ptrace access from any existing confined
> domains except, maybe, staff_t) seems like it would get us most of the
> way to option 4 without breaking existing user expectations. What am I
> missing that makes this infeasible?
That would leave just "Hello, world!" style programs (as long as they
aren't in some way localized, like the GNU version is).
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 2654431
Universidad Tecnica Federico Santa Maria +56 32 2654239
Casilla 110-V, Valparaiso, Chile 2340000 Fax: +56 32 2797513
More information about the devel
mailing list