[PATCH] Add 10-yama-ptrace.conf (rhbz 1209492)
Mark Wielaard
mjw at redhat.com
Tue Jun 23 06:04:29 UTC 2015
This fixes the yama bug #1209492 but lets administrators still add
extra restrictions if desired. This patch should apply as is against
both f22 and master.
---
10-yama-ptrace.conf | 30 ++++++++++++++++++++++++++++++
kernel.spec | 11 +++++++++++
2 files changed, 41 insertions(+)
create mode 100644 10-yama-ptrace.conf
diff --git a/10-yama-ptrace.conf b/10-yama-ptrace.conf
new file mode 100644
index 0000000..bcf0e69
--- /dev/null
+++ b/10-yama-ptrace.conf
@@ -0,0 +1,30 @@
+# The ptrace system call is used for interprocess services, communication
+# and introspection (like synchronisation, signaling, debugging, tracing
+# and profiling) of processes.
+#
+# Usage of ptrace is restricted by normal user permissions. Normal
+# unprivileged processes cannot interact through ptrace with processes
+# that they cannot send signals to or processes that are running set-uid
+# or set-gid.
+#
+# yama ptrace scope can be used to reduce these permissions even more.
+# This should normally not be done because it will break various programs
+# relying on the default ptrace security restrictions. But can be used
+# if you don't have any other way to separate processes in their own
+# domains. A different way to restrict ptrace is to set the selinux
+# deny_ptrace boolean. Both mechanisms will break some programs relying
+# on the ptrace system call and might force users to elevate their
+# priviliges to root to do their work.
+#
+# For more information see Documentation/security/Yama.txt in the kernel
+# sources.
+#
+# This runtime kernel parameter can be set to the following options:
+# (Note that setting this to anything except zero will break programs!)
+#
+# 0 - Normal ptrace security permissions.
+# 1 - Restricted ptrace. Only child processes plus normal permissions.
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
+#
+kernel.yama.ptrace_scope = 0
diff --git a/kernel.spec b/kernel.spec
index dfc4500..87efd85 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -460,6 +460,9 @@ Source1000: config-local
Source2000: cpupower.service
Source2001: cpupower.config
+# Default sysctl files
+Source3000: 10-yama-ptrace.conf
+
# Here should be only the patches up to the upstream canonical Linus tree.
# For a stable release kernel
@@ -1711,6 +1714,10 @@ BuildKernel() {
rm -rf $RPM_BUILD_ROOT/lib/modules/$KernelVer/vdso/.build-id
%endif
+ # Install default sysctl settings.
+ %{__install} -D -m 444 %{SOURCE3000} \
+ $RPM_BUILD_ROOT%{_sysctldir}/10-yama-ptrace-$KernelVer.conf
+
# And save the headers/makefiles etc for building modules against
#
# This all looks scary, but the end result is supposed to be:
@@ -2342,6 +2349,7 @@ fi
/lib/modules/%{KVERREL}%{?2:+%{2}}/vdso\
/etc/ld.so.conf.d/kernel-%{KVERREL}%{?2:+%{2}}.conf\
%endif\
+%config(noreplace) %{_sysctldir}/10-yama-ptrace-%{KVERREL}%{?2:+%{2}}.conf\
/lib/modules/%{KVERREL}%{?2:+%{2}}/modules.*\
%{expand:%%files -f kernel-%{?2:%{2}-}modules.list %{?2:%{2}-}modules}\
%defattr(-,root,root)\
@@ -2375,6 +2383,9 @@ fi
#
#
%changelog
+* Thu Jun 23 2015 Mark Wielaard <mjw at redhat.com>
+- Add 10-yama-ptrace.conf (rhbz 1209492)
+
* Thu Jun 18 2015 Josh Boyer <jwboyer at fedoraproject.org>
- Add patch to fix touchpad issues on Razer machines (rhbz 1227891)
--
2.4.3
More information about the kernel
mailing list