Le mardi 10 avril 2012 à 02:57 +0100, Matthew Garrett a écrit : > On Mon, Apr 09, 2012 at 09:18:13PM -0400, Daniel J Walsh wrote: > > On 04/09/2012 05:06 PM, Matthew Garrett wrote: > > > On Mon, Apr 09, 2012 at 04:55:27PM -0400, Daniel J Walsh wrote: > > > > > >> And guess what I use these tools, and I just execute setsebool > > >> deny_ptrace 0 anytime I need to strace or debug an application, then I > > >> turn it back on when I am done. > > > > > > Are we able to determine that strace or gdb have been explicitly started > > > by > > > the user rather than from some more confined application? > > > > > We already block ptrace from almost every confined domain other then user > > domains. > > Ok, so if anything that's already a likely target of attack is unable to > initiate ptrace or start a process that can ptrace, what real extra > security do we gain by disabling it by default?
AFAIK, firefox is not running in a confined domain, and that's a valuable target of attack. The same could be said of some others applications ( like acroread, etc ). -- Michael Scherer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
