• 1

what about a trace domain?

Just a thought:
If you disable ptrace in all domains except for a restricted trace domain which your debuggers run as (maybe limit write, etc) and only allow transition to this domain from a programer unconfined domain which would otherwise be identical to your user unconfined domain this might accomplish what you want with fewer knobs. Although your uber programmers may want a knob for writing debuggers.

Re: what about a trace domain?

I actually think that would be more difficult to do then just have the boolean. Since I would be by default having all users as unconfined_t then a programmer would need to setup debugger_t or something like that.

  • 1

Log in