Re: [PATCH] Add 10-yama-ptrace.conf (rhbz 1209492)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Aug 01, 2015 at 10:08:14PM +0200, Mark Wielaard wrote:
> On Mon, Jul 06, 2015 at 03:49:18PM +0200, Mark Wielaard wrote:
> > On Mon, 2015-07-06 at 09:39 -0400, Josh Boyer wrote:
> > > On Mon, Jul 6, 2015 at 9:10 AM, Mark Wielaard <mjw@xxxxxxxxxx> wrote:
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=1209492 (an to this email)
> > > > to revert the yama config setting to the upstream default. This fixes
> > > 
> > > That would make the sysctl file systemd just added on your request
> > > completely pointless and actually incorrect because changing the value
> > > wouldn't work at all.
> > 
> > Yes, that is a downside of the patch. You won't be able to switch the
> > default value anymore. But if we cannot do that by installing the sysctl
> > file in either the kernel or systemd the alternative would be to hunt
> > down and fix all individually packages that rely on ptrace working
> > normally. Which seems unattractive to me if the fix in the kernel is so
> > simple.
> 
> It took some time but we eventually came up with a solution.  Stephen
> Smalley who added the support for yama originally to the fedora kernel
> agrees with the approach. And Paul Moore is making sure this gets merged
> upstream. Attached are commits for f22, f23 and master. Please let me know
> if you need anything else to get these applied.
So... yama consists of one thing, the ptrace scope setting.
Your patch sets the ptrace scope setting back to 0. So yama
would be compiled in, but disabled.

Yama was added for a reason. So far this reason has not
gone away. Your patch would make users susceptible to the
vulnerability, by default, again.

Zbyszek



> 
> Thanks,
> 
> Mark

> From cbe1bca54f09d878c5551ca53a923b879e7230f9 Mon Sep 17 00:00:00 2001
> From: Mark Wielaard <mjw@xxxxxxxxxx>
> Date: Sat, 1 Aug 2015 19:18:10 +0200
> Subject: [PATCH] Set yama ptrace_scope default (rhbz 1209492)
> 
> ---
>  config-generic                      |  2 ++
>  kernel.spec                         |  9 ++++++
>  yama-set-ptrace_scope-default.patch | 61 +++++++++++++++++++++++++++++++++++++
>  3 files changed, 72 insertions(+)
>  create mode 100644 yama-set-ptrace_scope-default.patch
> 
> diff --git a/config-generic b/config-generic
> index 24a3387..3d84ed0 100644
> --- a/config-generic
> +++ b/config-generic
> @@ -4585,7 +4585,9 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> +# (rhbz 1209492) we only want yama enabled with ptrace_scope set to zero.
>  CONFIG_SECURITY_YAMA=y
> +CONFIG_SECURITY_YAMA_PTRACE_DEFAULT=0
>  CONFIG_SECURITY_YAMA_STACKED=y
>  CONFIG_AUDIT=y
>  CONFIG_AUDITSYSCALL=y
> diff --git a/kernel.spec b/kernel.spec
> index 792f833..51df973 100644
> --- a/kernel.spec
> +++ b/kernel.spec
> @@ -645,6 +645,9 @@ Patch26260: x86-nmi-64-Improve-nested-NMI-comments.patch
>  Patch26261: x86-nmi-64-Reorder-nested-NMI-checks.patch
>  Patch26262: x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
>  
> +# rhbz 1209492
> +Patch26263: yama-set-ptrace_scope-default.patch
> +
>  # END OF PATCH DEFINITIONS
>  
>  %endif
> @@ -1408,6 +1411,9 @@ ApplyPatch x86-nmi-64-Improve-nested-NMI-comments.patch
>  ApplyPatch x86-nmi-64-Reorder-nested-NMI-checks.patch
>  ApplyPatch x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
>  
> +# rhbz 1209492
> +ApplyPatch yama-set-ptrace_scope-default.patch
> +
>  # END OF PATCH APPLICATIONS
>  
>  %endif
> @@ -2258,6 +2264,9 @@ fi
>  #
>  # 
>  %changelog
> +* Sat Aug 01 2015 Mark Wielaard <mjw@xxxxxxxxxx>
> +- Set yama ptrace_scope default (rhbz 1209492)
> +
>  * Wed Jul 29 2015 Laura Abbott <labbott@xxxxxxxxxx> - 4.1.3-201
>  - tag and build for CVE fixes
>  
> diff --git a/yama-set-ptrace_scope-default.patch b/yama-set-ptrace_scope-default.patch
> new file mode 100644
> index 0000000..5e36e56
> --- /dev/null
> +++ b/yama-set-ptrace_scope-default.patch
> @@ -0,0 +1,61 @@
> +yama: make the default ptrace_scope value a Kconfig option
> +
> +From: Paul Moore <pmoore@xxxxxxxxxx>
> +
> +By default a Yama enabled system boots into a "restricted ptrace"
> +mode, while desirable from a security point of view, it does alter
> +the classic Linux ptrace() permissions and is seen by some as a
> +serious API breakage.  It is possible to alter the ptrace_scope at
> +runtime through the normal sysctl methods, but there are some
> +distributions which insist on using the kernel compile time defaults
> +for Yama while at the same time complaining about the API break.
> +Needless to say, this makes it very difficult to enable Yama in these
> +distribution kernels.
> +
> +This patch creates CONFIG_SECURITY_YAMA_PTRACE_DEFAULT, a new Kconfig
> +option, which allows a user to set the compile time default for Yama's
> +ptrace_scope setting.  The default value is set to "1" to preserve
> +Yama's defaults.
> +
> +Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
> +---
> + security/yama/Kconfig    |   12 ++++++++++++
> + security/yama/yama_lsm.c |    2 +-
> + 2 files changed, 13 insertions(+), 1 deletion(-)
> +
> +diff --git a/security/yama/Kconfig b/security/yama/Kconfig
> +index 90c605e..2cf9bad 100644
> +--- a/security/yama/Kconfig
> ++++ b/security/yama/Kconfig
> +@@ -10,6 +10,18 @@
> + 
> + 	  If you are unsure how to answer this question, answer N.
> + 
> ++config SECURITY_YAMA_PTRACE_DEFAULT
> ++	int "Yama default ptrace_scope value"
> ++	depends on SECURITY_YAMA
> ++	range 0 3
> ++	default 1
> ++	help
> ++	  This sets the default ptrace_scope value as described in
> ++	  Documentation/security/Yama.txt.  Historically Yama has always had
> ++	  a default value of 1, enabling some ptrace restrictions, but the
> ++	  classic, unrestricted Linux ptrace behavior is possible with a value
> ++	  of 0.
> ++
> + config SECURITY_YAMA_STACKED
> + 	bool "Yama stacked with other LSMs"
> + 	depends on SECURITY_YAMA
> +diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
> +index d3c19c9..16a35ec 100644
> +--- a/security/yama/yama_lsm.c
> ++++ b/security/yama/yama_lsm.c
> +@@ -24,7 +24,7 @@
> + #define YAMA_SCOPE_CAPABILITY	2
> + #define YAMA_SCOPE_NO_ATTACH	3
> + 
> +-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
> ++static int ptrace_scope = CONFIG_SECURITY_YAMA_PTRACE_DEFAULT;
> + 
> + /* describe a ptrace relationship for potential exception */
> + struct ptrace_relation {
> -- 
> 2.4.3
> 

> From 1070920f261ff717acfd4b050d2fd1254d86021c Mon Sep 17 00:00:00 2001
> From: Mark Wielaard <mjw@xxxxxxxxxx>
> Date: Sat, 1 Aug 2015 19:18:10 +0200
> Subject: [PATCH] Set yama ptrace_scope default (rhbz 1209492)
> 
> ---
>  config-generic                      |  2 ++
>  kernel.spec                         |  6 ++++
>  yama-set-ptrace_scope-default.patch | 61 +++++++++++++++++++++++++++++++++++++
>  3 files changed, 69 insertions(+)
>  create mode 100644 yama-set-ptrace_scope-default.patch
> 
> diff --git a/config-generic b/config-generic
> index 8553fc9..9d43fa7 100644
> --- a/config-generic
> +++ b/config-generic
> @@ -4685,7 +4685,9 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> +# (rhbz 1209492) we only want yama enabled with ptrace_scope set to zero.
>  CONFIG_SECURITY_YAMA=y
> +CONFIG_SECURITY_YAMA_PTRACE_DEFAULT=0
>  CONFIG_SECURITY_YAMA_STACKED=y
>  CONFIG_AUDIT=y
>  CONFIG_AUDITSYSCALL=y
> diff --git a/kernel.spec b/kernel.spec
> index 0c0c9ae..3bbe67a 100644
> --- a/kernel.spec
> +++ b/kernel.spec
> @@ -582,6 +582,9 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
>  
>  Patch503: drm-i915-turn-off-wc-mmaps.patch
>  
> +# rhbz 1209492
> +Patch504: yama-set-ptrace_scope-default.patch
> +
>  # END OF PATCH DEFINITIONS
>  
>  %endif
> @@ -2017,6 +2020,9 @@ fi
>  #
>  # 
>  %changelog
> +* Sat Aug 01 2015 Mark Wielaard <mjw@xxxxxxxxxx>
> +- Set yama ptrace_scope default (rhbz 1209492)
> +
>  * Fri Jul 31 2015 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> - 4.2.0-0.rc4.git4.1
>  - Linux v4.2-rc4-111-g8400935737bf
>  
> diff --git a/yama-set-ptrace_scope-default.patch b/yama-set-ptrace_scope-default.patch
> new file mode 100644
> index 0000000..5e36e56
> --- /dev/null
> +++ b/yama-set-ptrace_scope-default.patch
> @@ -0,0 +1,61 @@
> +yama: make the default ptrace_scope value a Kconfig option
> +
> +From: Paul Moore <pmoore@xxxxxxxxxx>
> +
> +By default a Yama enabled system boots into a "restricted ptrace"
> +mode, while desirable from a security point of view, it does alter
> +the classic Linux ptrace() permissions and is seen by some as a
> +serious API breakage.  It is possible to alter the ptrace_scope at
> +runtime through the normal sysctl methods, but there are some
> +distributions which insist on using the kernel compile time defaults
> +for Yama while at the same time complaining about the API break.
> +Needless to say, this makes it very difficult to enable Yama in these
> +distribution kernels.
> +
> +This patch creates CONFIG_SECURITY_YAMA_PTRACE_DEFAULT, a new Kconfig
> +option, which allows a user to set the compile time default for Yama's
> +ptrace_scope setting.  The default value is set to "1" to preserve
> +Yama's defaults.
> +
> +Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
> +---
> + security/yama/Kconfig    |   12 ++++++++++++
> + security/yama/yama_lsm.c |    2 +-
> + 2 files changed, 13 insertions(+), 1 deletion(-)
> +
> +diff --git a/security/yama/Kconfig b/security/yama/Kconfig
> +index 90c605e..2cf9bad 100644
> +--- a/security/yama/Kconfig
> ++++ b/security/yama/Kconfig
> +@@ -10,6 +10,18 @@
> + 
> + 	  If you are unsure how to answer this question, answer N.
> + 
> ++config SECURITY_YAMA_PTRACE_DEFAULT
> ++	int "Yama default ptrace_scope value"
> ++	depends on SECURITY_YAMA
> ++	range 0 3
> ++	default 1
> ++	help
> ++	  This sets the default ptrace_scope value as described in
> ++	  Documentation/security/Yama.txt.  Historically Yama has always had
> ++	  a default value of 1, enabling some ptrace restrictions, but the
> ++	  classic, unrestricted Linux ptrace behavior is possible with a value
> ++	  of 0.
> ++
> + config SECURITY_YAMA_STACKED
> + 	bool "Yama stacked with other LSMs"
> + 	depends on SECURITY_YAMA
> +diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
> +index d3c19c9..16a35ec 100644
> +--- a/security/yama/yama_lsm.c
> ++++ b/security/yama/yama_lsm.c
> +@@ -24,7 +24,7 @@
> + #define YAMA_SCOPE_CAPABILITY	2
> + #define YAMA_SCOPE_NO_ATTACH	3
> + 
> +-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
> ++static int ptrace_scope = CONFIG_SECURITY_YAMA_PTRACE_DEFAULT;
> + 
> + /* describe a ptrace relationship for potential exception */
> + struct ptrace_relation {
> -- 
> 2.4.3
> 

> From 2ce2ef114cff1979c29dd723e954c14749e16f40 Mon Sep 17 00:00:00 2001
> From: Mark Wielaard <mjw@xxxxxxxxxx>
> Date: Sat, 1 Aug 2015 19:18:10 +0200
> Subject: [PATCH] Set yama ptrace_scope default (rhbz 1209492)
> 
> ---
>  config-generic                      |  2 ++
>  kernel.spec                         |  6 ++++
>  yama-set-ptrace_scope-default.patch | 61 +++++++++++++++++++++++++++++++++++++
>  3 files changed, 69 insertions(+)
>  create mode 100644 yama-set-ptrace_scope-default.patch
> 
> diff --git a/config-generic b/config-generic
> index b7e23de..a607e5b 100644
> --- a/config-generic
> +++ b/config-generic
> @@ -4686,7 +4686,9 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> +# (rhbz 1209492) we only want yama enabled with ptrace_scope set to zero.
>  CONFIG_SECURITY_YAMA=y
> +CONFIG_SECURITY_YAMA_PTRACE_DEFAULT=0
>  CONFIG_SECURITY_YAMA_STACKED=y
>  CONFIG_AUDIT=y
>  CONFIG_AUDITSYSCALL=y
> diff --git a/kernel.spec b/kernel.spec
> index 09bf955..b01e55c 100644
> --- a/kernel.spec
> +++ b/kernel.spec
> @@ -582,6 +582,9 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
>  
>  Patch503: drm-i915-turn-off-wc-mmaps.patch
>  
> +# rhbz 1209492
> +Patch504: yama-set-ptrace_scope-default.patch
> +
>  Patch904: kdbus.patch
>  
>  # END OF PATCH DEFINITIONS
> @@ -2019,6 +2022,9 @@ fi
>  #
>  # 
>  %changelog
> +* Sat Aug 01 2015 Mark Wielaard <mjw@xxxxxxxxxx>
> +- Set yama ptrace_scope default (rhbz 1209492)
> +
>  * Fri Jul 31 2015 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> - 4.2.0-0.rc4.git4.1
>  - Linux v4.2-rc4-111-g8400935737bf
>  
> diff --git a/yama-set-ptrace_scope-default.patch b/yama-set-ptrace_scope-default.patch
> new file mode 100644
> index 0000000..5e36e56
> --- /dev/null
> +++ b/yama-set-ptrace_scope-default.patch
> @@ -0,0 +1,61 @@
> +yama: make the default ptrace_scope value a Kconfig option
> +
> +From: Paul Moore <pmoore@xxxxxxxxxx>
> +
> +By default a Yama enabled system boots into a "restricted ptrace"
> +mode, while desirable from a security point of view, it does alter
> +the classic Linux ptrace() permissions and is seen by some as a
> +serious API breakage.  It is possible to alter the ptrace_scope at
> +runtime through the normal sysctl methods, but there are some
> +distributions which insist on using the kernel compile time defaults
> +for Yama while at the same time complaining about the API break.
> +Needless to say, this makes it very difficult to enable Yama in these
> +distribution kernels.
> +
> +This patch creates CONFIG_SECURITY_YAMA_PTRACE_DEFAULT, a new Kconfig
> +option, which allows a user to set the compile time default for Yama's
> +ptrace_scope setting.  The default value is set to "1" to preserve
> +Yama's defaults.
> +
> +Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
> +---
> + security/yama/Kconfig    |   12 ++++++++++++
> + security/yama/yama_lsm.c |    2 +-
> + 2 files changed, 13 insertions(+), 1 deletion(-)
> +
> +diff --git a/security/yama/Kconfig b/security/yama/Kconfig
> +index 90c605e..2cf9bad 100644
> +--- a/security/yama/Kconfig
> ++++ b/security/yama/Kconfig
> +@@ -10,6 +10,18 @@
> + 
> + 	  If you are unsure how to answer this question, answer N.
> + 
> ++config SECURITY_YAMA_PTRACE_DEFAULT
> ++	int "Yama default ptrace_scope value"
> ++	depends on SECURITY_YAMA
> ++	range 0 3
> ++	default 1
> ++	help
> ++	  This sets the default ptrace_scope value as described in
> ++	  Documentation/security/Yama.txt.  Historically Yama has always had
> ++	  a default value of 1, enabling some ptrace restrictions, but the
> ++	  classic, unrestricted Linux ptrace behavior is possible with a value
> ++	  of 0.
> ++
> + config SECURITY_YAMA_STACKED
> + 	bool "Yama stacked with other LSMs"
> + 	depends on SECURITY_YAMA
> +diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
> +index d3c19c9..16a35ec 100644
> +--- a/security/yama/yama_lsm.c
> ++++ b/security/yama/yama_lsm.c
> +@@ -24,7 +24,7 @@
> + #define YAMA_SCOPE_CAPABILITY	2
> + #define YAMA_SCOPE_NO_ATTACH	3
> + 
> +-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
> ++static int ptrace_scope = CONFIG_SECURITY_YAMA_PTRACE_DEFAULT;
> + 
> + /* describe a ptrace relationship for potential exception */
> + struct ptrace_relation {
> -- 
> 2.4.3
> 

> _______________________________________________
> kernel mailing list
> kernel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/kernel

_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux