pidof -c fails under FC6/strict
Ulrich Drepper
drepper at redhat.com
Fri Jan 19 19:11:40 UTC 2007
Stephen Smalley wrote:
> In the future, I'd like to see proc permission checking revised to
> distinguish read-only access to process state vs. full ptrace access.
That would have to be much more detailed than just read/writer vs
read-only. ptrace reads can leak information (especially a no-no for
MLS but also for normal operation). For instance, you don't want to
allow poking a process to get randomization values/seeds like the one
used for pointer encryption.
So, you'd have to go into great detail and maybe even split the
functionality of a single ptrace or /proc operation in minute parts
which might or might not be allowed.
--
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070119/d04d4fbd/attachment.sig>
More information about the fedora-selinux-list
mailing list