SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Matthew Garrett
mjg59 at srcf.ucam.org
Tue Apr 10 14:30:15 UTC 2012
On Tue, Apr 10, 2012 at 11:26:50AM -0300, Horst H. von Brand wrote:
> Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
> [...]
>
> > To a first approximation, simply auditing the distribution for anything
> > that opens files or reads information from the network and forbidding
> > them ptrace access (and denying ptrace access from any existing confined
> > domains except, maybe, staff_t) seems like it would get us most of the
> > way to option 4 without breaking existing user expectations. What am I
> > missing that makes this infeasible?
>
> That would leave just "Hello, world!" style programs (as long as they
> aren't in some way localized, like the GNU version is).
Yeah, that's a bit broad. The 99% case would probably be anything that
reads from the network or opens PDFs or doc files.
--
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the devel
mailing list