• 1

Writing, compiling, running programs, but not debug them?

I was testing F17 just now and to be honest this feature seems not fully thought out. I do understand the intent. Don't allow firefox plugins to introspect on arbitrary other processes of the user on the machine. But this feature (if turned on by default) is a bit of a sledgehammer. I might not fully understand the subtleties of selinux, and what confined or unconfined users/processes are. But a normal user is allowed to write, compile and run their own programs. But now they need to have root privileges to be allowed to debug their own programs?

I love to deny ptrace (arbitrary process introspection) to things like firefox plugins, but having to disable this (and allow anything to use arbitrary ptrace calls) just to be allowed to debug my own programs seems a bit weird.

Can't this feature be made a little bit less rigid? So it can deny ptrace just for specific use cases, but allow it for normal users so they can at least debug their own programs?

Also it seems to not distinquish between introspection on arbitrary processes (strace -p, gdb -p) that use PTRACE_ATTACH, and "normal" debugging which uses PTRACE_ME. Is it ever necessary to disallow PTRACE_ME? https://bugzilla.redhat.com/show_bug.cgi?id=802072

Re: Writing, compiling, running programs, but not debug them?

The PTRACE_ME Separation should be coming in the next kernel. Meaning this feature will not block

gdb /usr/bin/foobar, but will block gdb -p 1234.

We currently block mozilla plugins from ptrace by default in F17 with or without this feature.

Sadly I will have to turn off the boolean by default, because this is what I originally stated in the feature page which Fedora Approved. If we fix our other problems, I will request a feature to Fedora 18 to turn it on by default.

  • 1
?

Log in