On Mon, Apr 09, 2012 at 09:18:13PM -0400, Daniel J Walsh wrote: > On 04/09/2012 05:06 PM, Matthew Garrett wrote: > > On Mon, Apr 09, 2012 at 04:55:27PM -0400, Daniel J Walsh wrote: > > > >> And guess what I use these tools, and I just execute setsebool > >> deny_ptrace 0 anytime I need to strace or debug an application, then I > >> turn it back on when I am done. > > > > Are we able to determine that strace or gdb have been explicitly started by > > the user rather than from some more confined application? > > > We already block ptrace from almost every confined domain other then user domains. Ok, so if anything that's already a likely target of attack is unable to initiate ptrace or start a process that can ptrace, what real extra security do we gain by disabling it by default? -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
