On Tue, Jun 23, 2015 at 2:04 AM, Mark Wielaard <mjw@xxxxxxxxxx> wrote:
> This fixes the yama bug #1209492 but lets administrators still add
> extra restrictions if desired. This patch should apply as is against
> both f22 and master.
>
> ---
> 10-yama-ptrace.conf | 30 ++++++++++++++++++++++++++++++
> kernel.spec | 11 +++++++++++
> 2 files changed, 41 insertions(+)
> create mode 100644 10-yama-ptrace.conf
>
> diff --git a/10-yama-ptrace.conf b/10-yama-ptrace.conf
> new file mode 100644
> index 0000000..bcf0e69
> --- /dev/null
> +++ b/10-yama-ptrace.conf
> @@ -0,0 +1,30 @@
> +# The ptrace system call is used for interprocess services, communication
> +# and introspection (like synchronisation, signaling, debugging, tracing
> +# and profiling) of processes.
> +#
> +# Usage of ptrace is restricted by normal user permissions. Normal
> +# unprivileged processes cannot interact through ptrace with processes
> +# that they cannot send signals to or processes that are running set-uid
> +# or set-gid.
> +#
> +# yama ptrace scope can be used to reduce these permissions even more.
> +# This should normally not be done because it will break various programs
> +# relying on the default ptrace security restrictions. But can be used
> +# if you don't have any other way to separate processes in their own
> +# domains. A different way to restrict ptrace is to set the selinux
> +# deny_ptrace boolean. Both mechanisms will break some programs relying
> +# on the ptrace system call and might force users to elevate their
> +# priviliges to root to do their work.
> +#
> +# For more information see Documentation/security/Yama.txt in the kernel
> +# sources.
> +#
> +# This runtime kernel parameter can be set to the following options:
> +# (Note that setting this to anything except zero will break programs!)
> +#
> +# 0 - Normal ptrace security permissions.
> +# 1 - Restricted ptrace. Only child processes plus normal permissions.
> +# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
> +# 3 - No attach. No process may call ptrace at all. Irrevocable.
> +#
> +kernel.yama.ptrace_scope = 0
The upstream default is 1 here, correct? It might be worth noting that.
> diff --git a/kernel.spec b/kernel.spec
> index dfc4500..87efd85 100644
> --- a/kernel.spec
> +++ b/kernel.spec
> @@ -460,6 +460,9 @@ Source1000: config-local
> Source2000: cpupower.service
> Source2001: cpupower.config
>
> +# Default sysctl files
> +Source3000: 10-yama-ptrace.conf
We don't ship any other sysctl files in the kernel package. I'm
really hesitant to add this here, as we try and keep the kernel
package as close to "kernel-only" as we can. The systemd package
current ships the others that I'm aware of.
> # Here should be only the patches up to the upstream canonical Linus tree.
>
> # For a stable release kernel
> @@ -1711,6 +1714,10 @@ BuildKernel() {
> rm -rf $RPM_BUILD_ROOT/lib/modules/$KernelVer/vdso/.build-id
> %endif
>
> + # Install default sysctl settings.
> + %{__install} -D -m 444 %{SOURCE3000} \
> + $RPM_BUILD_ROOT%{_sysctldir}/10-yama-ptrace-$KernelVer.conf
> +
Help me out, is _sysctldir defined as /etc/sysctl.d or
/usr/lib/sysctl.d/ ? The latter is where this file should go in any
case.
josh
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
