Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757817Ab0FUCRO (ORCPT ); Sun, 20 Jun 2010 22:17:14 -0400 Received: from lennier.cc.vt.edu ([198.82.162.213]:45713 "EHLO lennier.cc.vt.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757541Ab0FUCRG (ORCPT ); Sun, 20 Jun 2010 22:17:06 -0400 X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2 To: James Morris Cc: Theodore Tso , Casey Schaufler , Alan Cox , Kees Cook , Randy Dunlap , linux-kernel@vger.kernel.org, Andrew Morton , Jiri Kosina , Dave Young , Martin Schwidefsky , Roland McGrath , Oleg Nesterov , "H. Peter Anvin" , David Howells , Ingo Molnar , Peter Zijlstra , "Eric W. Biederman" , linux-doc@vger.kernel.org, Stephen Smalley , Daniel J Walsh , linux-security-module@vger.kernel.org Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope In-Reply-To: Your message of "Mon, 21 Jun 2010 10:52:11 +1000." From: Valdis.Kletnieks@vt.edu References: <20100616221833.GM24749@outflux.net> <20100617000120.13071be8@lxorguk.ukuu.org.uk> <20100616232230.GP24749@outflux.net> <20100617170453.GV24749@outflux.net> <20100617215349.2fac02f5@lxorguk.ukuu.org.uk> <20100617140630.c6ced27a.rdunlap@xenotime.net> <20100617221815.68ce30c5@lxorguk.ukuu.org.uk> <20100617215105.GB24749@outflux.net> <20100617233054.330256cf@lxorguk.ukuu.org.uk> <4C1AE3A8.2020104@schaufler-ca.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1277086573_2259P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Sun, 20 Jun 2010 22:16:13 -0400 Message-ID: <92911.1277086573@localhost> X-Mirapoint-Received-SPF: 128.173.34.98 localhost Valdis.Kletnieks@vt.edu 2 pass X-Mirapoint-IP-Reputation: reputation=neutral-1, source=Fixed, refid=n/a, actions=MAILHURDLE SPF TAG X-Junkmail-Status: score=10/50, host=vivi.cc.vt.edu X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A020204.4C1ECB71.01B1,ss=1,fgs=0, ip=0.0.0.0, so=2009-09-22 00:05:22, dmn=2009-09-10 00:05:08, mode=single engine X-Junkmail-IWF: false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1351 Lines: 41 --==_Exmh_1277086573_2259P Content-Type: text/plain; charset=us-ascii On Mon, 21 Jun 2010 10:52:11 +1000, James Morris said: > Note that people using SELinux or AppArmor already have the ability to > restrict ptrace, and they would thus not need to stack this function if it > were in a separate LSM. That's assuming they can figure out how to write and integrate the required policy changes. Looking inside selinux-policy-3.8.3-4.fc14.src.rpm from Fedora Rawhide: (Holy cow, there's a .git tree in that tarball - no wonder it's 20M in size). % cd serefpolicy-3.8.3/policy/modules; wc -l */* | grep total 135967 total 135kloc of policy that probably nobody in your shop really understands. At that point, writing something that stacks starts sounding really enticing. --==_Exmh_1277086573_2259P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFMHsttcC3lWbTT17ARAiqaAKCMUNWTvSr1LDJxQafdS6OH/Er70QCgoWq8 t1cXzeI4EtbX6H8LD7YeBcs= =4C28 -----END PGP SIGNATURE----- --==_Exmh_1277086573_2259P-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/