change coming with maverick's 2.6.34-5 kernels
Kees Cook
kees at ubuntu.com
Tue Jun 1 18:38:02 BST 2010
On Tue, Jun 01, 2010 at 06:26:34PM +0100, Matthew Garrett wrote:
> On Tue, Jun 01, 2010 at 10:19:56AM -0700, Kees Cook wrote:
> > On Tue, Jun 01, 2010 at 06:07:02PM +0100, Matthew Garrett wrote:
> > > So isn't this just equivalent to changing your default LSM policy to
> > > forbid ptrace, except with less in the way of configurability? Doing it
> > > at the security policy lets you provide exceptions for the applications
> > > that need to have ptrace capabilities.
> >
> > Correct, though some LSMs (e.g. AppArmor) do not have a "default policy"
>
> So set it with pam_cap, and then hand it back to individual applications
> with a policy?
Presently there isn't a middle-ground between CAP_SYS_PTRACE (of all
processes) and "PTRACE of my processes".
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list