User: Password:
|
|
Subscribe / Log in / New account

SELinuxDenyPtrace and security by default

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 7:24 UTC (Thu) by geertj (guest, #4116)
Parent article: SELinuxDenyPtrace and security by default

Could the problem be solved by allowing ptrace() only to children of the current process? That way debugging and strace would work, but no other process could ptrace() my password safe. And processes could protect themselves against ptracing by reparenting themselves to init.


(Log in to post comments)

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 9:19 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

That's exactly what Yama in Ubuntu does.

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 12:26 UTC (Thu) by spender (subscriber, #23067) [Link]

What a brilliant idea! Why didn't I think of that in 2009?

Unfortunately Dan Walsh isn't as adept as Ubuntu in copying my ideas and thus has to resort to paranoia as a form of "security" to introduce such "forward-thinking" measures.

-Brad

Children only

Posted Apr 12, 2012 12:59 UTC (Thu) by corbet (editor, #1) [Link]

Being able to trace only children by default is likely to be part of the solution at the end. But, as many people pointed out in the discussion, there are a lot of uses of commands like strace -p, so this policy will still cause problems.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds