Kees Cook <kees.cook@xxxxxxxxxxxxx> writes: > [...] At present, I'm aware of global PTRACE control being possible > in SELinux, AppArmor, grsecurity, and as a patch in Ubuntu's kernel. > I don't know about TOMOYO or Smack, but configuring the default > scope of PTRACE in at least 4 different ways so far (or not being > able to change it at all) just seems crazy. [...] For the curious, below is a demonstration an interactive systemtap script that can implement this sort of local policy, independently of the other security APIs. http://sourceware.org/systemtap/examples/keyword-index.html#SECURITY just a user sammy sysadmin =========== ============== 8232% echo $$ 8232 root# noptrace.stp -x 8232 & 8232% do-stuff & [1] 8888 root# cat /proc/systemtap/stap_*/blocked 8232 /bin/bash 8888 /usr/local/bin/do-stuff 8232% strace ls strace: ptrace(PTRACE_TRACEME, ...): No such process 8232% gdb do-stuff 8888 Attaching to program: /usr/local/bin/do-stuff, process 8888 ptrace: No such process. root# echo 8232 > /proc/systemtap/stap_*/unblock 8232% strace ls [...working again...] - FChE -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
