|| ||Alan Cox <alan-AT-lxorguk.ukuu.org.uk> |
|| ||Randy Dunlap <rdunlap-AT-xenotime.net> |
|| ||Re: [PATCH] ptrace: allow restriction of ptrace scope |
|| ||Thu, 17 Jun 2010 22:18:15 +0100|
|| ||Kees Cook <kees.cook-AT-canonical.com>,
James Morris <jmorris-AT-namei.org>, linux-kernel-AT-vger.kernel.org,
Andrew Morton <akpm-AT-linux-foundation.org>,
Jiri Kosina <jkosina-AT-suse.cz>,
Dave Young <hidave.darkstar-AT-gmail.com>,
Martin Schwidefsky <schwidefsky-AT-de.ibm.com>,
Roland McGrath <roland-AT-redhat.com>,
Oleg Nesterov <oleg-AT-redhat.com>,
"H. Peter Anvin" <hpa-AT-zytor.com>,
David Howells <dhowells-AT-redhat.com>,
Ingo Molnar <mingo-AT-elte.hu>,
Peter Zijlstra <a.p.zijlstra-AT-chello.nl>,
"Eric W. Biederman" <ebiederm-AT-xmission.com>,
linux-doc-AT-vger.kernel.org, Stephen Smalley <sds-AT-tycho.nsa.gov>,
Daniel J Walsh <dwalsh-AT-redhat.com>,
|| ||Article, Thread
> > Thats a nonsensical configuration so we don't care. If you are using
> > SELinux you just do it via SELinux. If you are doing it via
> > UbuntuHasToBeDifferent then you do it via that.
> Well, surely there are people who use something other than Ubuntu
> and also care about not using SELinux... eh?
Then they can load UbuntuSecurity and use that, just enabling the
features they want.
I'm not against the Ubuntu stuff getting beaten into a security module
and put where it belongs. Far from it - I just want to see it put where
it belongs, which is not junk randomly spewed over the tree. Doubly so
when they do it wrong *because* they are not using the security hooks.
It seems pretty easy to me. Kees needs to package up the grsecurity
features that Ubuntu thinks are valuable into security/something/... with
a set of sysfs entries to turn on/off the various features. Ubuntu is
happy, people who want a simple set of sysfs feature controls for
security are happy and nobody else will even notice.
It'll appeal to some people because it looks easy to work and it won't
upset anyone else because its all nicely filed away where it belongs.
We don't put MSDOS fs hacks randomly all over the VFS, please don't try
and put security hacks into random bits of kernel code.
 Maybe we should be scarier, like Al ;)
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
to post comments)