On Tue, Apr 10, 2012 at 11:26:50AM -0300, Horst H. von Brand wrote: > Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: > [...] > > > To a first approximation, simply auditing the distribution for anything > > that opens files or reads information from the network and forbidding > > them ptrace access (and denying ptrace access from any existing confined > > domains except, maybe, staff_t) seems like it would get us most of the > > way to option 4 without breaking existing user expectations. What am I > > missing that makes this infeasible? > > That would leave just "Hello, world!" style programs (as long as they > aren't in some way localized, like the GNU version is). Yeah, that's a bit broad. The 99% case would probably be anything that reads from the network or opens PDFs or doc files. -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
