Disabling ptrace
Simon J. Gerraty
sjg at juniper.net
Tue Dec 30 20:56:59 UTC 2014
Shawn Webb <lattera at gmail.com> wrote:
> I'm curious what the use case was that brought this up. And why the requester
> thinks it's actually useful.
Being able to disable ptrace is useful - provided it cannot be bypassed.
In Junos we leveraged the signed binary implementation (based on NetBSD's
verified exec) to tag processes for which ptrace should fail. The
signed binary stuff also supposed to prevent games with LD_PRELOAD -
assuming we didn't provide and sign the lib in question.
When we re-implemented veriexec as a MAC module, the above was left out,
in anticipation of using a separate module (though perhaps still
leveraging veriexec to set the labels).
More information about the freebsd-arch
mailing list