On Mon, Apr 9, 2012 at 3:38 PM, Eric Paris <eparis@xxxxxxxxxx> wrote: > On Mon, 2012-04-09 at 00:31 +0200, Kevin Kofler wrote: >> It also >> breaks crash reporters such as DrKonqi (for DrKonqi, we work around this by >> disabling the flag in kde-runtime's %post script, but there are other >> similar debuggers in upstream software, some not packaged in Fedora) > > I ask in the bug how DrKonqi works on other distros with the YAMA > security module enabled which implements a slightly different semantic > and didn't hear a response. I have patches which I will try to get into > the Fedora kernel later today that will allow us to seamlessly allow gdb > to trace children. gdb -p would still require disabling the boolean. > (Think about it a moment. gdb -p is the same as firefox trying to > ptrace gnome-keyring) > > My understanding is that DrKonqi wants to be able to ptrace anything run > by the user. This is a scary idea. Please help me understand how > DrKonqi works on other distros which limit how user applications are > able to attack each other with the YAMA module and hopefully we can find > a similar was to rectify the situation in Fedora. It seems that there is prctl() call to allow a specific PID (like gdb stared by the signal-handler of DrKonqi) to trace the calling/crached process. The idea comes from following the gdb discussion here: - http://sourceware.org/ml/gdb-patches/2012-03/msg00274.html HTH, Niels -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
