change coming with maverick's 2.6.34-5 kernels
mjg59 at srcf.ucam.org
Tue Jun 1 18:07:02 BST 2010
On Tue, Jun 01, 2010 at 10:03:27AM -0700, Kees Cook wrote:
> Both AppArmor and SELinux contain PTRACE within a given profile/policy,
> so yes, it is confined under those conditions. My concern is for stuff
> that isn't covered by an LSM policy. A lot of those things tend to be
> running on a desktop, as the same user, so this overlaps well.
So isn't this just equivalent to changing your default LSM policy to
forbid ptrace, except with less in the way of configurability? Doing it
at the security policy lets you provide exceptions for the applications
that need to have ptrace capabilities.
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the ubuntu-devel