Re: [PATCH] ptrace: allow restriction of ptrace scope

[Kees Cook]

Hi James,

On Thu, Jun 17, 2010 at 11:45:42PM +1000, James Morris wrote:
> On Wed, 16 Jun 2010, Kees Cook wrote:
> 
> [Note: it would be useful to cc: the LSM list on security discussions]

Sorry, I was blindly using get_maintainer output.

> > Certainly.  PTRACE can already be confined by SELinux and AppArmor.  I'm
> > looking for a general approach that doesn't require a system builder to
> > create MAC policies for unknown software.  I want to define a common core
> > behavior.
> > 
> > > And even if you don't care about using the same security stuff the rest
> > > of the world is using to solve the problem this like the other half baked
> > > stuff you posted for links belongs as a security module.
> > 
> > The LSM isn't stackable, so I can't put it there and choose this and
> > SELinux (for the case of software-without-a-policy).
> 
> SELinux already supports a global switch for ptrace via the allow_ptrace 
> boolean.  You don't need to write any policy, just set it to 0.
> 
> Global behavior can be further customized and refined (e.g. create a 
> generic policy module for apps without an existing policy, which allows 
> everything except things like ptrace and dangerous symlinks).
> 
> SELinux users would not need the other LSM, and stacking is thus not 
> required.

But if a user wants to disable ptrace using the SELinux LSM and then
also disable sticky-symlinks via the ItsHideous LSM, they're out of luck.

-Kees

-- 
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/