ptrace()
system call allows one process to observe and control the execution of another process and change its memory and registers. This call is used primarily by developers during debugging, for example when using the strace
utility. When ptrace()
is not needed, it can be disabled to improve system security. This can be done by enabling the deny_ptrace
Boolean, which denies all processes, even those that are running in unconfined_t
domains, from being able to use ptrace()
on other processes.
deny_ptrace
Boolean is disabled by default. To enable it, run the setsebool -P deny_ptrace on
command as the root user:
~]#
setsebool -P deny_ptrace on
~]$
getsebool deny_ptrace
deny_ptrace --> on
setsebool -P deny_ptrace off
command as root:
~]#
setsebool -P deny_ptrace off
Note
setsebool -P
command makes persistent changes. Do not use the -P
option if you do not want changes to persist across reboots.
ptrace()
system call. To list all domains that are allowed to use ptrace()
, run the following command. Note that the setools-console package provides the sesearch
utility and that the package is not installed by default.
~]#
sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace | cut -d ' ' -f 5