From: russell@coker.com.au (Russell Coker)
Date: Sun, 12 Feb 2017 18:16:57 +1100
Subject: [refpolicy]  [PATCH] deny_ptrace
Message-ID: <20170212071657.blofqcpbffwf74pl@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The below patch is something that I think came from Fedora when I merged their
systemd policy.  It's not complete (would need to have lots more ifdefs) and
would probably take more work to get it complete (as programs that call ps
are often flagged as needing ptrace access).

Is this something that's worth continuing with or should I just drop it to
get closer to upstream?


diff -ru /home/rjc/src/pol-git/policy/global_tunables /tmp/pol-git/policy/global_tunables
--- /home/rjc/src/pol-git/policy/global_tunables	2016-08-03 10:37:38.704348215 +1000
+++ /tmp/pol-git/policy/global_tunables	2017-02-12 18:13:03.584953597 +1100
@@ -6,6 +6,13 @@
 
 ## <desc>
 ## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(deny_ptrace, false)
+
+## <desc>
+## <p>
 ## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
 ## </p>
 ## </desc>
diff -ru /home/rjc/src/pol-git/policy/modules/system/init.if /tmp/pol-git/policy/modules/system/init.if
--- /home/rjc/src/pol-git/policy/modules/system/init.if	2017-02-09 12:14:04.820887209 +1100
+++ /tmp/pol-git/policy/modules/system/init.if	2017-02-12 18:13:03.584953597 +1100
@@ -1504,7 +1504,9 @@
 		type init_t;
 	')
 
-	allow $1 init_t:process ptrace;
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 init_t:process ptrace;
+	')
 ')
 
 ########################################