[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pidof -c fails under FC6/strict



Stephen Smalley wrote:
> In the future, I'd like to see proc permission checking revised to
> distinguish read-only access to process state vs. full ptrace access.

That would have to be much more detailed than just read/writer vs
read-only.  ptrace reads can leak information (especially a no-no for
MLS but also for normal operation).  For instance, you don't want to
allow poking a process to get randomization values/seeds like the one
used for pointer encryption.

So, you'd have to go into great detail and maybe even split the
functionality of a single ptrace or /proc operation in minute parts
which might or might not be allowed.

-- 
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]