Re: [PATCH] ptrace: allow restriction of ptrace scope

From: Valdis . Kletnieks
Date: Sun Jun 20 2010 - 22:17:26 EST

Next message: Larry Finger: "Re: [Bug #16122] 2.6.35-rc1: WARNING at fs/fs-writeback.c:1142 __mark_inode_dirty+0x103/0x170"
Previous message: Daniel Sangorrin: "Re: [PATCH] USB: serial: ftdi: correct merge conflict with CONTEC id"
In reply to: James Morris: "Re: [PATCH] ptrace: allow restriction of ptrace scope"
Next in thread: Kees Cook: "Re: [PATCH] ptrace: allow restriction of ptrace scope"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 21 Jun 2010 10:52:11 +1000, James Morris said:

> Note that people using SELinux or AppArmor already have the ability to
> restrict ptrace, and they would thus not need to stack this function if it
> were in a separate LSM.

That's assuming they can figure out how to write and integrate the required
policy changes. Looking inside selinux-policy-3.8.3-4.fc14.src.rpm from Fedora
Rawhide: (Holy cow, there's a .git tree in that tarball - no wonder it's 20M in
size).

% cd serefpolicy-3.8.3/policy/modules; wc -l */* | grep total
135967 total

135kloc of policy that probably nobody in your shop really understands. At
that point, writing something that stacks starts sounding really enticing.

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Larry Finger: "Re: [Bug #16122] 2.6.35-rc1: WARNING at fs/fs-writeback.c:1142 __mark_inode_dirty+0x103/0x170"
Previous message: Daniel Sangorrin: "Re: [PATCH] USB: serial: ftdi: correct merge conflict with CONTEC id"
In reply to: James Morris: "Re: [PATCH] ptrace: allow restriction of ptrace scope"
Next in thread: Kees Cook: "Re: [PATCH] ptrace: allow restriction of ptrace scope"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]