Disabling ptrace
Konstantin Belousov
kostikbel at gmail.com
Sat Jan 3 16:32:55 UTC 2015
On Sat, Jan 03, 2015 at 04:25:35PM +0200, Konstantin Belousov wrote:
> On Sat, Jan 03, 2015 at 01:37:33PM +0000, Robert Watson wrote:
> > I???m OK with putting the flag on the process, but frequently the
> > process credential is where we stick security-related subject/object
> > flags...
Hm, credentials store the rights of the subject, related to the
credentials (am I using the correct terminology ?). While the no-trace
attribute is not rights, it is very similar to e.g. DAC or ACL on the
files, which are stored in inode. No-trace is an attribute of the
process, and by the DAC analogy, should be stored in the object which is
protected.
In other words, we do not disallow some user to do attach with ptrace,
but mark some process as not attachable.
More information about the freebsd-arch
mailing list