Re: [PATCH] ptrace: allow restriction of ptrace scope

From: Kees Cook
Date: Thu Jun 17 2010 - 18:26:25 EST

Next message: H. Peter Anvin: "Re: [PATCH] x86: clear XD_DISABLED flag on Intel to regain NX"
Previous message: Victor Lowther: "Re: [linux-pm] RFC: /sys/power/policy_preference"
In reply to: Alan Cox: "Re: [PATCH] ptrace: allow restriction of ptrace scope"
Next in thread: Alan Cox: "Re: [PATCH] ptrace: allow restriction of ptrace scope"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 17, 2010 at 11:18:59PM +0100, Alan Cox wrote:
> > And for them, it certainly seems like a good idea to be able to turn off
> > PTRACE without having to fiddle with an LSM.
>
> But that *is* an LSM, its a security policy.
>
> You don't seem to get it - even the default kernel security is a
> security policy (security/commoncap.c etc)

I do get it. I also get that every LSM calls out to commoncap, making
it effectively stacked with the primary LSM -- the only LSM that gets
stacked. In fact, this is how I even started implementing these features:
as patches to commoncap, but James preferred it to be in core since they
are of general utility. But core people want the changes in security/
instead.

I don't mind putting them in commoncap at all. I would just like people
to agree on what they disagree about. :)

-Kees

--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: H. Peter Anvin: "Re: [PATCH] x86: clear XD_DISABLED flag on Intel to regain NX"
Previous message: Victor Lowther: "Re: [linux-pm] RFC: /sys/power/policy_preference"
In reply to: Alan Cox: "Re: [PATCH] ptrace: allow restriction of ptrace scope"
Next in thread: Alan Cox: "Re: [PATCH] ptrace: allow restriction of ptrace scope"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]