From: jason@perfinion.com (Jason Zaman) Date: Sun, 12 Feb 2017 15:34:06 +0800 Subject: [refpolicy] [PATCH] deny_ptrace In-Reply-To: References: <20170212071657.blofqcpbffwf74pl@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/roles/sysadm.te#L10 Refpolicy already has this but reversed. Refpolicy prefers to ship with all booleans disabled so it's allow_ptrace instead of deny_ptrace. Adding more places is probably good tho if they're missing then you can drop anything custom in Debian's packages On 12 Feb 2017 15:17, "Russell Coker via refpolicy" < refpolicy@oss.tresys.com> wrote: The below patch is something that I think came from Fedora when I merged their systemd policy. It's not complete (would need to have lots more ifdefs) and would probably take more work to get it complete (as programs that call ps are often flagged as needing ptrace access). Is this something that's worth continuing with or should I just drop it to get closer to upstream? diff -ru /home/rjc/src/pol-git/policy/global_tunables /tmp/pol-git/policy/global_tunables --- /home/rjc/src/pol-git/policy/global_tunables 2016-08-03 10:37:38.704348215 +1000 +++ /tmp/pol-git/policy/global_tunables 2017-02-12 18:13:03.584953597 +1100 @@ -6,6 +6,13 @@ ## ##

+## Allow sysadm to debug or ptrace all processes. +##

+##
+gen_tunable(deny_ptrace, false) + +## +##

## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##

##
diff -ru /home/rjc/src/pol-git/policy/modules/system/init.if /tmp/pol-git/policy/modules/system/init.if --- /home/rjc/src/pol-git/policy/modules/system/init.if 2017-02-09 12:14:04.820887209 +1100 +++ /tmp/pol-git/policy/modules/system/init.if 2017-02-12 18:13:03.584953597 +1100 @@ -1504,7 +1504,9 @@ type init_t; ') - allow $1 init_t:process ptrace; + tunable_policy(`deny_ptrace',`',` + allow $1 init_t:process ptrace; + ') ') ######################################## _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170212/de328fe2/attachment.html