> You have to remove the CAP_SYS_PTRACE to all processes running in the
> chroot.
>
> You can patch the sources of your proxy to handle that by yourself
> with:
>
> int capget(cap_user_header_t header, cap_user_data_t data);
> int capset(cap_user_header_t header, const cap_user_data_t data);
>
> Note that this functions are Linux specific as CAP_SYS_PTRACE is Linux
> and not Posix.
>
> But GRSecurity seems a better solution ...
You could easily remove this capability globally using LCAP[1],
which modifies /proc/sys/kernel/cap-bound to remove it directly.
Alternatively, you could use an LKM[2] to capture and refuse
any use of the ptrace syscall itself.
These have the benifit of being non-kernel specific - no patches
are needed. If you have a security-enhanced kernel such as
grsecurity, then you should use it's built in capabilities
limiting functionality though.
[1] The original page seems to have gone AWOL, but you can find
it in RPM form or as source here and there, such as from
SecurityFocus. Do a google.
[2] For example http://www.hackinglinuxexposed.com/tools/p/noptrace.c.html
--
Brian Hatch Never knock on Death's door.
Systems and Ring the doorbell and run.
Security Engineer He hates that.
http://www.ifokr.org/bri/
Every message PGP signed
This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 18:18:11 PST