[PATCH] Add 10-yama-ptrace.conf (rhbz 1209492)

Paul Moore pmoore at redhat.com
Mon Aug 3 21:49:07 UTC 2015 

On Saturday, August 01, 2015 10:08:14 PM Mark Wielaard wrote:
> On Mon, Jul 06, 2015 at 03:49:18PM +0200, Mark Wielaard wrote:
> > On Mon, 2015-07-06 at 09:39 -0400, Josh Boyer wrote:
> > > On Mon, Jul 6, 2015 at 9:10 AM, Mark Wielaard <mjw at redhat.com> wrote:
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=1209492 (an to this email)
> > > > to revert the yama config setting to the upstream default. This fixes
> > > 
> > > That would make the sysctl file systemd just added on your request
> > > completely pointless and actually incorrect because changing the value
> > > wouldn't work at all.
> > 
> > Yes, that is a downside of the patch. You won't be able to switch the
> > default value anymore. But if we cannot do that by installing the sysctl
> > file in either the kernel or systemd the alternative would be to hunt
> > down and fix all individually packages that rely on ptrace working
> > normally. Which seems unattractive to me if the fix in the kernel is so
> > simple.
> 
> It took some time but we eventually came up with a solution.  Stephen
> Smalley who added the support for yama originally to the fedora kernel
> agrees with the approach. And Paul Moore is making sure this gets merged
> upstream. Attached are commits for f22, f23 and master. Please let me know
> if you need anything else to get these applied.

For the record, I don't really consider this a long term solution as the risks 
associated with ptrace() still exist.  While Mark and a few others on the BZ 
are happy to discount the risk, I am not.  However, my current workload 
doesn't allow me to keep arguing with Mark so I'm looking into ways to leave 
Yama in the kernel, but disabled by default.  If someone else is able to 
continue fighting for ptrace restrictions at this point in time, I would 
suggest adding yourself to the BZ.

Also, it appears that the patch I posted last week isn't really viable 
upstream due to a general distaste of setting sysctl defaults with CONFIG 
settings.  I have another thought, but I think that discussion is better had 
on the BZ than on this list.

-- 
paul moore
security @ redhat

More information about the kernel mailing list