This still appears to be a bit broken There are three problems here 1. I can stop an app changing privs which in some SELinux or APParmour cases might mean I prevent it being dropped into a less privileged position. That's something only the security policy knows. So for SELinux and Apparmour and the like in some situations you are potentially adding a security hole. That one seems hard to fix unless you fail the exec if it causes a security transition, as opposed to just keeping the old one. For non change cases we can however still pass the filter on, which is the usual sane case. 2. ptrace You neeed to also stop ptrace otherwise the locked down process can use ptrace to proxy its activity via another task with the same uid. That's easy enough to add fortunately. 3. file access You have the same attacks via patching files of running apps etc. In the intended circumstances I'm not sure this matters or is cleanly fixable. It's the point at which you need a real system wide policy and SELinux etc anyway. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
