From: jason@perfinion.com (Jason Zaman)
Date: Sun, 12 Feb 2017 15:34:06 +0800
Subject: [refpolicy] [PATCH] deny_ptrace
In-Reply-To: <CAPuKSJYLS3GsdhO=Wo2n=rzMBU_7047KN6zVryNOk-Zh9asLYA@mail.gmail.com>
References: <20170212071657.blofqcpbffwf74pl@athena.coker.com.au>
	<CAPuKSJbwACL2QAjbU0p4Lr3CVMzTpGi08sOu+d0t=Yq5ubT8Bg@mail.gmail.com>
	<CAPuKSJZJGw7h=TaNvdFEaR-a-f46QMMO7QT1NUYV5QqYN6NFVw@mail.gmail.com>
	<CAPuKSJbwivUrt=VTrfWB57NH2CxWrYwtmvbjHYV4o4eXetAZjQ@mail.gmail.com>
	<CAPuKSJYLS3GsdhO=Wo2n=rzMBU_7047KN6zVryNOk-Zh9asLYA@mail.gmail.com>
Message-ID: <CAPuKSJbZsB5dbjJfM7++zgYvSg14mqNMGCc6cY3U6cHU1QREQg@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/roles/sysadm.te#L10

Refpolicy already has this but reversed. Refpolicy prefers to ship with all
booleans disabled so it's allow_ptrace instead of deny_ptrace.

Adding more places is probably good tho if they're missing then you can
drop anything custom in Debian's packages

On 12 Feb 2017 15:17, "Russell Coker via refpolicy" <
refpolicy@oss.tresys.com> wrote:

The below patch is something that I think came from Fedora when I merged
their
systemd policy.  It's not complete (would need to have lots more ifdefs) and
would probably take more work to get it complete (as programs that call ps
are often flagged as needing ptrace access).

Is this something that's worth continuing with or should I just drop it to
get closer to upstream?


diff -ru /home/rjc/src/pol-git/policy/global_tunables
/tmp/pol-git/policy/global_tunables
--- /home/rjc/src/pol-git/policy/global_tunables        2016-08-03
10:37:38.704348215 +1000
+++ /tmp/pol-git/policy/global_tunables 2017-02-12 18:13:03.584953597 +1100
@@ -6,6 +6,13 @@

 ## <desc>
 ## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(deny_ptrace, false)
+
+## <desc>
+## <p>
 ## Allow unconfined executables to make their heap memory executable.
Doing this is a really bad idea. Probably indicates a badly coded
executable, but could indicate an attack. This executable should be
reported in bugzilla
 ## </p>
 ## </desc>
diff -ru /home/rjc/src/pol-git/policy/modules/system/init.if
/tmp/pol-git/policy/modules/system/init.if
--- /home/rjc/src/pol-git/policy/modules/system/init.if 2017-02-09
12:14:04.820887209 +1100
+++ /tmp/pol-git/policy/modules/system/init.if  2017-02-12
18:13:03.584953597 +1100
@@ -1504,7 +1504,9 @@
                type init_t;
        ')

-       allow $1 init_t:process ptrace;
+       tunable_policy(`deny_ptrace',`',`
+               allow $1 init_t:process ptrace;
+       ')
 ')

 ########################################
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170212/de328fe2/attachment.html