On Mon, Apr 09, 2012 at 09:59:18AM -0400, Eric Paris wrote: > Some applications, like gdb, are able to ptrace both children or other > completely unrelated tasks. We would like to be able to discern these two > things and to be able to allow gdb to ptrace it's children, but not to be > able to ptrace unrelated tasks for security reasons. > > Upstream is a bit weary of this patch as it may be incomplete. They are > not fundamentally opposed to the patch, I was just ask to see if I could > flush out any needed refinement in Fedora where we already had the > problem. We may find that we need to emulate the YAMA non-child I'd be comfortable doing that kind of flushing out in rawhide, but I'm kinda hesitant for doing it in F17. Which leads to... > registration module in order to completely deal with 'normal' ptrace on > a system. At the moment however, this patch will at least let us get > gdb working for many users in Fedora (See fedora-devel-list for a > discussion of the current issues people are complaining about in F17 > without this) ... the fact that people are really complaining about the deny_ptrace feature entirely. It's Feature page was drafted and presented to FESCo saying it would default to off. Dan recently said he'd abide by that, even though it seems the intention was to leave it on. Given all that, should we throw this patch into rawhide where deny_ptrace will presumably be left on and handle the fallout there? Or does everyone think the "can't ptrace children" issue is a big enough problem in F17 even with deny_ptrace disabled by default? josh _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
