[PATCH] Add 10-yama-ptrace.conf (rhbz 1209492)
Mark Wielaard
mjw at redhat.com
Sat Aug 1 20:08:14 UTC 2015
On Mon, Jul 06, 2015 at 03:49:18PM +0200, Mark Wielaard wrote:
> On Mon, 2015-07-06 at 09:39 -0400, Josh Boyer wrote:
> > On Mon, Jul 6, 2015 at 9:10 AM, Mark Wielaard <mjw at redhat.com> wrote:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1209492 (an to this email)
> > > to revert the yama config setting to the upstream default. This fixes
> >
> > That would make the sysctl file systemd just added on your request
> > completely pointless and actually incorrect because changing the value
> > wouldn't work at all.
>
> Yes, that is a downside of the patch. You won't be able to switch the
> default value anymore. But if we cannot do that by installing the sysctl
> file in either the kernel or systemd the alternative would be to hunt
> down and fix all individually packages that rely on ptrace working
> normally. Which seems unattractive to me if the fix in the kernel is so
> simple.
It took some time but we eventually came up with a solution. Stephen
Smalley who added the support for yama originally to the fedora kernel
agrees with the approach. And Paul Moore is making sure this gets merged
upstream. Attached are commits for f22, f23 and master. Please let me know
if you need anything else to get these applied.
Thanks,
Mark
-------------- next part --------------
>From cbe1bca54f09d878c5551ca53a923b879e7230f9 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw at redhat.com>
Date: Sat, 1 Aug 2015 19:18:10 +0200
Subject: [PATCH] Set yama ptrace_scope default (rhbz 1209492)
---
config-generic | 2 ++
kernel.spec | 9 ++++++
yama-set-ptrace_scope-default.patch | 61 +++++++++++++++++++++++++++++++++++++
3 files changed, 72 insertions(+)
create mode 100644 yama-set-ptrace_scope-default.patch
diff --git a/config-generic b/config-generic
index 24a3387..3d84ed0 100644
--- a/config-generic
+++ b/config-generic
@@ -4585,7 +4585,9 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
+# (rhbz 1209492) we only want yama enabled with ptrace_scope set to zero.
CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY_YAMA_PTRACE_DEFAULT=0
CONFIG_SECURITY_YAMA_STACKED=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
diff --git a/kernel.spec b/kernel.spec
index 792f833..51df973 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -645,6 +645,9 @@ Patch26260: x86-nmi-64-Improve-nested-NMI-comments.patch
Patch26261: x86-nmi-64-Reorder-nested-NMI-checks.patch
Patch26262: x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
+# rhbz 1209492
+Patch26263: yama-set-ptrace_scope-default.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1408,6 +1411,9 @@ ApplyPatch x86-nmi-64-Improve-nested-NMI-comments.patch
ApplyPatch x86-nmi-64-Reorder-nested-NMI-checks.patch
ApplyPatch x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
+# rhbz 1209492
+ApplyPatch yama-set-ptrace_scope-default.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2258,6 +2264,9 @@ fi
#
#
%changelog
+* Sat Aug 01 2015 Mark Wielaard <mjw at redhat.com>
+- Set yama ptrace_scope default (rhbz 1209492)
+
* Wed Jul 29 2015 Laura Abbott <labbott at redhat.com> - 4.1.3-201
- tag and build for CVE fixes
diff --git a/yama-set-ptrace_scope-default.patch b/yama-set-ptrace_scope-default.patch
new file mode 100644
index 0000000..5e36e56
--- /dev/null
+++ b/yama-set-ptrace_scope-default.patch
@@ -0,0 +1,61 @@
+yama: make the default ptrace_scope value a Kconfig option
+
+From: Paul Moore <pmoore at redhat.com>
+
+By default a Yama enabled system boots into a "restricted ptrace"
+mode, while desirable from a security point of view, it does alter
+the classic Linux ptrace() permissions and is seen by some as a
+serious API breakage. It is possible to alter the ptrace_scope at
+runtime through the normal sysctl methods, but there are some
+distributions which insist on using the kernel compile time defaults
+for Yama while at the same time complaining about the API break.
+Needless to say, this makes it very difficult to enable Yama in these
+distribution kernels.
+
+This patch creates CONFIG_SECURITY_YAMA_PTRACE_DEFAULT, a new Kconfig
+option, which allows a user to set the compile time default for Yama's
+ptrace_scope setting. The default value is set to "1" to preserve
+Yama's defaults.
+
+Signed-off-by: Paul Moore <pmoore at redhat.com>
+---
+ security/yama/Kconfig | 12 ++++++++++++
+ security/yama/yama_lsm.c | 2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/security/yama/Kconfig b/security/yama/Kconfig
+index 90c605e..2cf9bad 100644
+--- a/security/yama/Kconfig
++++ b/security/yama/Kconfig
+@@ -10,6 +10,18 @@
+
+ If you are unsure how to answer this question, answer N.
+
++config SECURITY_YAMA_PTRACE_DEFAULT
++ int "Yama default ptrace_scope value"
++ depends on SECURITY_YAMA
++ range 0 3
++ default 1
++ help
++ This sets the default ptrace_scope value as described in
++ Documentation/security/Yama.txt. Historically Yama has always had
++ a default value of 1, enabling some ptrace restrictions, but the
++ classic, unrestricted Linux ptrace behavior is possible with a value
++ of 0.
++
+ config SECURITY_YAMA_STACKED
+ bool "Yama stacked with other LSMs"
+ depends on SECURITY_YAMA
+diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
+index d3c19c9..16a35ec 100644
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -24,7 +24,7 @@
+ #define YAMA_SCOPE_CAPABILITY 2
+ #define YAMA_SCOPE_NO_ATTACH 3
+
+-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
++static int ptrace_scope = CONFIG_SECURITY_YAMA_PTRACE_DEFAULT;
+
+ /* describe a ptrace relationship for potential exception */
+ struct ptrace_relation {
--
2.4.3
-------------- next part --------------
>From 1070920f261ff717acfd4b050d2fd1254d86021c Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw at redhat.com>
Date: Sat, 1 Aug 2015 19:18:10 +0200
Subject: [PATCH] Set yama ptrace_scope default (rhbz 1209492)
---
config-generic | 2 ++
kernel.spec | 6 ++++
yama-set-ptrace_scope-default.patch | 61 +++++++++++++++++++++++++++++++++++++
3 files changed, 69 insertions(+)
create mode 100644 yama-set-ptrace_scope-default.patch
diff --git a/config-generic b/config-generic
index 8553fc9..9d43fa7 100644
--- a/config-generic
+++ b/config-generic
@@ -4685,7 +4685,9 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
+# (rhbz 1209492) we only want yama enabled with ptrace_scope set to zero.
CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY_YAMA_PTRACE_DEFAULT=0
CONFIG_SECURITY_YAMA_STACKED=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
diff --git a/kernel.spec b/kernel.spec
index 0c0c9ae..3bbe67a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -582,6 +582,9 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
Patch503: drm-i915-turn-off-wc-mmaps.patch
+# rhbz 1209492
+Patch504: yama-set-ptrace_scope-default.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -2017,6 +2020,9 @@ fi
#
#
%changelog
+* Sat Aug 01 2015 Mark Wielaard <mjw at redhat.com>
+- Set yama ptrace_scope default (rhbz 1209492)
+
* Fri Jul 31 2015 Josh Boyer <jwboyer at fedoraproject.org> - 4.2.0-0.rc4.git4.1
- Linux v4.2-rc4-111-g8400935737bf
diff --git a/yama-set-ptrace_scope-default.patch b/yama-set-ptrace_scope-default.patch
new file mode 100644
index 0000000..5e36e56
--- /dev/null
+++ b/yama-set-ptrace_scope-default.patch
@@ -0,0 +1,61 @@
+yama: make the default ptrace_scope value a Kconfig option
+
+From: Paul Moore <pmoore at redhat.com>
+
+By default a Yama enabled system boots into a "restricted ptrace"
+mode, while desirable from a security point of view, it does alter
+the classic Linux ptrace() permissions and is seen by some as a
+serious API breakage. It is possible to alter the ptrace_scope at
+runtime through the normal sysctl methods, but there are some
+distributions which insist on using the kernel compile time defaults
+for Yama while at the same time complaining about the API break.
+Needless to say, this makes it very difficult to enable Yama in these
+distribution kernels.
+
+This patch creates CONFIG_SECURITY_YAMA_PTRACE_DEFAULT, a new Kconfig
+option, which allows a user to set the compile time default for Yama's
+ptrace_scope setting. The default value is set to "1" to preserve
+Yama's defaults.
+
+Signed-off-by: Paul Moore <pmoore at redhat.com>
+---
+ security/yama/Kconfig | 12 ++++++++++++
+ security/yama/yama_lsm.c | 2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/security/yama/Kconfig b/security/yama/Kconfig
+index 90c605e..2cf9bad 100644
+--- a/security/yama/Kconfig
++++ b/security/yama/Kconfig
+@@ -10,6 +10,18 @@
+
+ If you are unsure how to answer this question, answer N.
+
++config SECURITY_YAMA_PTRACE_DEFAULT
++ int "Yama default ptrace_scope value"
++ depends on SECURITY_YAMA
++ range 0 3
++ default 1
++ help
++ This sets the default ptrace_scope value as described in
++ Documentation/security/Yama.txt. Historically Yama has always had
++ a default value of 1, enabling some ptrace restrictions, but the
++ classic, unrestricted Linux ptrace behavior is possible with a value
++ of 0.
++
+ config SECURITY_YAMA_STACKED
+ bool "Yama stacked with other LSMs"
+ depends on SECURITY_YAMA
+diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
+index d3c19c9..16a35ec 100644
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -24,7 +24,7 @@
+ #define YAMA_SCOPE_CAPABILITY 2
+ #define YAMA_SCOPE_NO_ATTACH 3
+
+-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
++static int ptrace_scope = CONFIG_SECURITY_YAMA_PTRACE_DEFAULT;
+
+ /* describe a ptrace relationship for potential exception */
+ struct ptrace_relation {
--
2.4.3
-------------- next part --------------
>From 2ce2ef114cff1979c29dd723e954c14749e16f40 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw at redhat.com>
Date: Sat, 1 Aug 2015 19:18:10 +0200
Subject: [PATCH] Set yama ptrace_scope default (rhbz 1209492)
---
config-generic | 2 ++
kernel.spec | 6 ++++
yama-set-ptrace_scope-default.patch | 61 +++++++++++++++++++++++++++++++++++++
3 files changed, 69 insertions(+)
create mode 100644 yama-set-ptrace_scope-default.patch
diff --git a/config-generic b/config-generic
index b7e23de..a607e5b 100644
--- a/config-generic
+++ b/config-generic
@@ -4686,7 +4686,9 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
+# (rhbz 1209492) we only want yama enabled with ptrace_scope set to zero.
CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY_YAMA_PTRACE_DEFAULT=0
CONFIG_SECURITY_YAMA_STACKED=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
diff --git a/kernel.spec b/kernel.spec
index 09bf955..b01e55c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -582,6 +582,9 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
Patch503: drm-i915-turn-off-wc-mmaps.patch
+# rhbz 1209492
+Patch504: yama-set-ptrace_scope-default.patch
+
Patch904: kdbus.patch
# END OF PATCH DEFINITIONS
@@ -2019,6 +2022,9 @@ fi
#
#
%changelog
+* Sat Aug 01 2015 Mark Wielaard <mjw at redhat.com>
+- Set yama ptrace_scope default (rhbz 1209492)
+
* Fri Jul 31 2015 Josh Boyer <jwboyer at fedoraproject.org> - 4.2.0-0.rc4.git4.1
- Linux v4.2-rc4-111-g8400935737bf
diff --git a/yama-set-ptrace_scope-default.patch b/yama-set-ptrace_scope-default.patch
new file mode 100644
index 0000000..5e36e56
--- /dev/null
+++ b/yama-set-ptrace_scope-default.patch
@@ -0,0 +1,61 @@
+yama: make the default ptrace_scope value a Kconfig option
+
+From: Paul Moore <pmoore at redhat.com>
+
+By default a Yama enabled system boots into a "restricted ptrace"
+mode, while desirable from a security point of view, it does alter
+the classic Linux ptrace() permissions and is seen by some as a
+serious API breakage. It is possible to alter the ptrace_scope at
+runtime through the normal sysctl methods, but there are some
+distributions which insist on using the kernel compile time defaults
+for Yama while at the same time complaining about the API break.
+Needless to say, this makes it very difficult to enable Yama in these
+distribution kernels.
+
+This patch creates CONFIG_SECURITY_YAMA_PTRACE_DEFAULT, a new Kconfig
+option, which allows a user to set the compile time default for Yama's
+ptrace_scope setting. The default value is set to "1" to preserve
+Yama's defaults.
+
+Signed-off-by: Paul Moore <pmoore at redhat.com>
+---
+ security/yama/Kconfig | 12 ++++++++++++
+ security/yama/yama_lsm.c | 2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/security/yama/Kconfig b/security/yama/Kconfig
+index 90c605e..2cf9bad 100644
+--- a/security/yama/Kconfig
++++ b/security/yama/Kconfig
+@@ -10,6 +10,18 @@
+
+ If you are unsure how to answer this question, answer N.
+
++config SECURITY_YAMA_PTRACE_DEFAULT
++ int "Yama default ptrace_scope value"
++ depends on SECURITY_YAMA
++ range 0 3
++ default 1
++ help
++ This sets the default ptrace_scope value as described in
++ Documentation/security/Yama.txt. Historically Yama has always had
++ a default value of 1, enabling some ptrace restrictions, but the
++ classic, unrestricted Linux ptrace behavior is possible with a value
++ of 0.
++
+ config SECURITY_YAMA_STACKED
+ bool "Yama stacked with other LSMs"
+ depends on SECURITY_YAMA
+diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
+index d3c19c9..16a35ec 100644
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -24,7 +24,7 @@
+ #define YAMA_SCOPE_CAPABILITY 2
+ #define YAMA_SCOPE_NO_ATTACH 3
+
+-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
++static int ptrace_scope = CONFIG_SECURITY_YAMA_PTRACE_DEFAULT;
+
+ /* describe a ptrace relationship for potential exception */
+ struct ptrace_relation {
--
2.4.3
More information about the kernel
mailing list