On Mon, 21 Jun 2010 10:52:11 +1000, James Morris said: > Note that people using SELinux or AppArmor already have the ability to > restrict ptrace, and they would thus not need to stack this function if it > were in a separate LSM. That's assuming they can figure out how to write and integrate the required policy changes. Looking inside selinux-policy-3.8.3-4.fc14.src.rpm from Fedora Rawhide: (Holy cow, there's a .git tree in that tarball - no wonder it's 20M in size). % cd serefpolicy-3.8.3/policy/modules; wc -l */* | grep total 135967 total 135kloc of policy that probably nobody in your shop really understands. At that point, writing something that stacks starts sounding really enticing.
Attachment:
pgpuZXOjPaels.pgp
Description: PGP signature