change coming with maverick's 2.6.34-5 kernels

[Matthew Garrett]

On Tue, Jun 01, 2010 at 10:19:56AM -0700, Kees Cook wrote:
> On Tue, Jun 01, 2010 at 06:07:02PM +0100, Matthew Garrett wrote:
> > So isn't this just equivalent to changing your default LSM policy to 
> > forbid ptrace, except with less in the way of configurability? Doing it 
> > at the security policy lets you provide exceptions for the applications 
> > that need to have ptrace capabilities.
> 
> Correct, though some LSMs (e.g. AppArmor) do not have a "default policy"

So set it with pam_cap, and then hand it back to individual applications 
with a policy?

-- 
Matthew Garrett | mjg59 at srcf.ucam.org