change coming with maverick's 2.6.34-5 kernels

Matthew Garrett mjg59 at
Tue Jun 1 18:07:02 BST 2010

On Tue, Jun 01, 2010 at 10:03:27AM -0700, Kees Cook wrote:

> Both AppArmor and SELinux contain PTRACE within a given profile/policy,
> so yes, it is confined under those conditions.  My concern is for stuff
> that isn't covered by an LSM policy.  A lot of those things tend to be
> running on a desktop, as the same user, so this overlaps well.

So isn't this just equivalent to changing your default LSM policy to 
forbid ptrace, except with less in the way of configurability? Doing it 
at the security policy lets you provide exceptions for the applications 
that need to have ptrace capabilities.

Matthew Garrett | mjg59 at

More information about the ubuntu-devel mailing list