> On Nov. 30, 2015, 10:34 a.m., Tobias Berner wrote:
> > I think FreeBSD 10 introduced a similar interface in r277322
> > https://svnweb.freebsd.org/base?view=revision&revision=277322
> > Though it is explicitely stated to not be a "security feature".
> >
> > According to the man page of progctl
> > https://www.freebsd.org/cgi/man.cgi?query=procctl&apropos=0&sektion=2&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html
> > this would be PROC_TRACE_CTL with data PROC_TRACE_CTL_DISABLE.
> >
> >
> > I will have to ask someone more familiar with that.
>
> Martin Gräßlin wrote:
> > how do I get kwin to output the debug output for the framebuffer
> backend, with qcdebug lines,
>
> Given the notes on it, that seems fine. It's not my intention to protect
> against kernel or root.
>From a non-Linux perspective, it would be good if there was a CMake check for
>`prctl()` and `PR_SET_DUMPABLE/PROC_TRACE_CTL` with a big warning in case none
>was found. The oldest supported FreeBSD release (9.x) will be supported until
>the end of 2016 and it does not have this functionality, and neither do
>{Net,DragonFly,Open}BSD, so adding the calls without additional checks will
>just create additional problems for those packaging kscreenlocker for those
>platforms, and I doubt they will be able to add a replacement for this without
>help from their kernel (and existing releases would still be broken).
- Raphael
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/126203/#review88939
-----------------------------------------------------------
On Nov. 30, 2015, 10:01 a.m., Martin Gräßlin wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/126203/
> -----------------------------------------------------------
>
> (Updated Nov. 30, 2015, 10:01 a.m.)
>
>
> Review request for Plasma and Tobias Berner.
>
>
> Repository: kscreenlocker
>
>
> Description
> -------
>
> Setting the PR_SET_DUMPABLE flag to 0 for the security relevant
> command kcheckpass and kscreenlocker_greet. If one wants to gdb into
> the running command it will result in:
>
> ptrace: Operation not permitted.
>
> For kscreenlocker_greet ptrace is permitted in testing mode.
>
> As root it's still possible to attach to the process.
>
> ---
>
> @Tobias: I assume this is a strong linux-ism. Is there a FreeBSD compareable
> functionality?
>
> I'm considering to push this explicitly without an ifdef. It's a new security
> feature and I want to make non-Linux systems aware of the fact that it adds a
> new feature and that a replacement should be added.
>
>
> Diffs
> -----
>
> greeter/main.cpp e4e679e7ef40b319665428281fdba5f4e0b4eb25
> kcheckpass/kcheckpass.c fd2d2215bf2199f159a121bb0ce08e7b2b254aaa
>
> Diff: https://git.reviewboard.kde.org/r/126203/diff/
>
>
> Testing
> -------
>
> Tried to gdb into the processes: failed
> Tried to gdb into kscreenlocker_greet --testing: succeeded
> Tried to gdb into kscreenlocker_greet as root: succeeded
>
>
> Thanks,
>
> Martin Gräßlin
>
>
_______________________________________________
Plasma-devel mailing list
Plasma-devel@kde.org
https://mail.kde.org/mailman/listinfo/plasma-devel
