Re: [PATCH] ptrace: allow restriction of ptrace scope
[Posted June 22, 2010 by jake]
| From: |
| Theodore Tso <tytso-AT-MIT.EDU> |
| To: |
| Casey Schaufler <casey-AT-schaufler-ca.com> |
| Subject: |
| Re: [PATCH] ptrace: allow restriction of ptrace scope |
| Date: |
| Fri, 18 Jun 2010 06:54:57 -0400 |
| Cc: |
| Alan Cox <alan-AT-lxorguk.ukuu.org.uk>,
Kees Cook <kees.cook-AT-canonical.com>,
Randy Dunlap <rdunlap-AT-xenotime.net>,
James Morris <jmorris-AT-namei.org>, linux-kernel-AT-vger.kernel.org,
Andrew Morton <akpm-AT-linux-foundation.org>,
Jiri Kosina <jkosina-AT-suse.cz>,
Dave Young <hidave.darkstar-AT-gmail.com>,
Martin Schwidefsky <schwidefsky-AT-de.ibm.com>,
Roland McGrath <roland-AT-redhat.com>,
Oleg Nesterov <oleg-AT-redhat.com>,
"H. Peter Anvin" <hpa-AT-zytor.com>,
David Howells <dhowells-AT-redhat.com>,
Ingo Molnar <mingo-AT-elte.hu>,
Peter Zijlstra <a.p.zijlstra-AT-chello.nl>,
"Eric W. Biederman" <ebiederm-AT-xmission.com>,
linux-doc-AT-vger.kernel.org, Stephen Smalley <sds-AT-tycho.nsa.gov>,
Daniel J Walsh <dwalsh-AT-redhat.com>,
linux-security-module-AT-vger.kernel.org |
i think we really need to have stacked LSM's, because there is a large set
of people who will never use SELinux. Every few years, I take another
look at SELinux, my head explodes with the (IMHO unneeded complexity),
and I go away again...
Yet I would really like a number of features such as this ptrace scope idea ---
which I think is a useful feature, and it may be that stacking is the only
way we can resolve this debate. The SELinux people will never believe that
their system is too complicated, and I don't like using things that are impossible
for me to understand or configure, and that doesn't seem likely to change anytime
in the near future.
I mean, even IPSEC RFC's are easier for me to understand, and that's saying
a lot...
-- Ted
