On Mon, Oct 06, 2025 at 05:15:47PM +0200, Bastian Blank wrote: > On Mon, Oct 06, 2025 at 05:01:39PM +0200, Bálint Réczey wrote: > > > From my view: it needs to employ the "can ptrace" check for any > > > monitored process. > > I think that would also be against the monitoring's usefulness. Not > > ptrace-able processes can cause issues to be triaged, too. > > In that case you need to go through the normal elevation rules. So > either sudo oder packagekit.
I think you may mean PolicyKit? But yes, ideally this would use PolicyKit rather than a group-limited setuid/setcap binary. In the absence of that, the group at least needs to be documented as root-equivalent, since systemwide monitoring of syscalls on privileged processes almost certainly is.
