Stephen Smalley wrote: > In the future, I'd like to see proc permission checking revised to > distinguish read-only access to process state vs. full ptrace access. That would have to be much more detailed than just read/writer vs read-only. ptrace reads can leak information (especially a no-no for MLS but also for normal operation). For instance, you don't want to allow poking a process to get randomization values/seeds like the one used for pointer encryption. So, you'd have to go into great detail and maybe even split the functionality of a single ptrace or /proc operation in minute parts which might or might not be allowed. -- ➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
