change coming with maverick's 2.6.34-5 kernels

Kees Cook kees at
Tue Jun 1 22:13:35 BST 2010

On Tue, Jun 01, 2010 at 06:42:40PM +0100, Matthew Garrett wrote:
> On Tue, Jun 01, 2010 at 10:38:02AM -0700, Kees Cook wrote:
> > On Tue, Jun 01, 2010 at 06:26:34PM +0100, Matthew Garrett wrote:
> > > So set it with pam_cap, and then hand it back to individual applications 
> > > with a policy?
> > 
> > Presently there isn't a middle-ground between CAP_SYS_PTRACE (of all
> > processes) and "PTRACE of my processes".
> Yes, but I don't think that's the distinction you need to provide the 
> security you want - and doing it this way avoids unexpectedly breaking 
> developer applications.

This discussion ended up on IRC, but to give a quick summary for those
following this mailing list thread, IIUC:

CAP_SYS_PTRACE can't be used because it imparts too much power, and
fine-grained LSM policy can't be used, at least with AppArmor, since it
lacks a sense of "default policy".


Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list