Would it be better to have millions of locked down machines where the user doesn't need ptrace and there is a boolean that would disable it, but the user lacks privileges to enable that boolean?
I _think_ SELinux could be configured to grant ptrace rights to binaries like gdb, but the problem is that this mostly undoes the security benefit of removing the privilege in the first place.
Maybe a nice alternative would be to enable ptrace by default only for processes which are marked at exec-time in some way as volunteering to be traced. The "your children" rule is a primitive version of this restriction, but a smarter one could allow for almost all legitimate debugging. The only special case where you'd want to turn off the boolean then would be debugging of a production system that has some error you can't reproduce under test conditions yet must anyhow diagnose and fix. That's a narrow enough case that requiring people to jump through hoops ought to be acceptable.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds