I have a system in which we have GDB installed and a target binary which needs to be debugged for errors. We do not want the user to be able to debug any other process apart from the target binary.
Is there any way we can use Selinux to create a policy to restrict CAP_SYS_PTRACE to a target process? and fail when trying to debug any other process?
"Classic ptrace permissions" mode already allows ptrace of processes running as your uid, but not anything privileged. Put this in /etc/sysctl.d/program.conf
kernel.yama.ptrace_scope = 0
If the program runs as a different user, allow switching to that user to run gdb. Such as with a sudo rule.
Then gdb can be called with either the gdb program or gdb -p PID syntax.
Truly restricting it to only trace one program, not even others running as your user, is more difficult. Currently, CentOS 7 does not have any targeted SELinux policy for gdb. Running unconfined means SELinux does not apply, and it will allow same user or CAP_SYS_PTRACE.
You could define policy for both your program and GDB, and to allow it to do what you want.
allow gdb_t program_t:process { ptrace } ;
Problem is, none of these types exist yet. You would also have to figure out all the domain transitions required to confine gdb but still function.
There is a boolean that already exists that will shut off ptrace globally. Not very useful as there is no exceptions, but you can prevent root from tracing processes.
setsebool -P deny_ptrace on
