>From cbe1bca54f09d878c5551ca53a923b879e7230f9 Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Sat, 1 Aug 2015 19:18:10 +0200 Subject: [PATCH] Set yama ptrace_scope default (rhbz 1209492) --- config-generic | 2 ++ kernel.spec | 9 ++++++ yama-set-ptrace_scope-default.patch | 61 +++++++++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 yama-set-ptrace_scope-default.patch diff --git a/config-generic b/config-generic index 24a3387..3d84ed0 100644 --- a/config-generic +++ b/config-generic @@ -4585,7 +4585,9 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set +# (rhbz 1209492) we only want yama enabled with ptrace_scope set to zero. CONFIG_SECURITY_YAMA=y +CONFIG_SECURITY_YAMA_PTRACE_DEFAULT=0 CONFIG_SECURITY_YAMA_STACKED=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y diff --git a/kernel.spec b/kernel.spec index 792f833..51df973 100644 --- a/kernel.spec +++ b/kernel.spec @@ -645,6 +645,9 @@ Patch26260: x86-nmi-64-Improve-nested-NMI-comments.patch Patch26261: x86-nmi-64-Reorder-nested-NMI-checks.patch Patch26262: x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch +# rhbz 1209492 +Patch26263: yama-set-ptrace_scope-default.patch + # END OF PATCH DEFINITIONS %endif @@ -1408,6 +1411,9 @@ ApplyPatch x86-nmi-64-Improve-nested-NMI-comments.patch ApplyPatch x86-nmi-64-Reorder-nested-NMI-checks.patch ApplyPatch x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch +# rhbz 1209492 +ApplyPatch yama-set-ptrace_scope-default.patch + # END OF PATCH APPLICATIONS %endif @@ -2258,6 +2264,9 @@ fi # # %changelog +* Sat Aug 01 2015 Mark Wielaard +- Set yama ptrace_scope default (rhbz 1209492) + * Wed Jul 29 2015 Laura Abbott - 4.1.3-201 - tag and build for CVE fixes diff --git a/yama-set-ptrace_scope-default.patch b/yama-set-ptrace_scope-default.patch new file mode 100644 index 0000000..5e36e56 --- /dev/null +++ b/yama-set-ptrace_scope-default.patch @@ -0,0 +1,61 @@ +yama: make the default ptrace_scope value a Kconfig option + +From: Paul Moore + +By default a Yama enabled system boots into a "restricted ptrace" +mode, while desirable from a security point of view, it does alter +the classic Linux ptrace() permissions and is seen by some as a +serious API breakage. It is possible to alter the ptrace_scope at +runtime through the normal sysctl methods, but there are some +distributions which insist on using the kernel compile time defaults +for Yama while at the same time complaining about the API break. +Needless to say, this makes it very difficult to enable Yama in these +distribution kernels. + +This patch creates CONFIG_SECURITY_YAMA_PTRACE_DEFAULT, a new Kconfig +option, which allows a user to set the compile time default for Yama's +ptrace_scope setting. The default value is set to "1" to preserve +Yama's defaults. + +Signed-off-by: Paul Moore +--- + security/yama/Kconfig | 12 ++++++++++++ + security/yama/yama_lsm.c | 2 +- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/security/yama/Kconfig b/security/yama/Kconfig +index 90c605e..2cf9bad 100644 +--- a/security/yama/Kconfig ++++ b/security/yama/Kconfig +@@ -10,6 +10,18 @@ + + If you are unsure how to answer this question, answer N. + ++config SECURITY_YAMA_PTRACE_DEFAULT ++ int "Yama default ptrace_scope value" ++ depends on SECURITY_YAMA ++ range 0 3 ++ default 1 ++ help ++ This sets the default ptrace_scope value as described in ++ Documentation/security/Yama.txt. Historically Yama has always had ++ a default value of 1, enabling some ptrace restrictions, but the ++ classic, unrestricted Linux ptrace behavior is possible with a value ++ of 0. ++ + config SECURITY_YAMA_STACKED + bool "Yama stacked with other LSMs" + depends on SECURITY_YAMA +diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c +index d3c19c9..16a35ec 100644 +--- a/security/yama/yama_lsm.c ++++ b/security/yama/yama_lsm.c +@@ -24,7 +24,7 @@ + #define YAMA_SCOPE_CAPABILITY 2 + #define YAMA_SCOPE_NO_ATTACH 3 + +-static int ptrace_scope = YAMA_SCOPE_RELATIONAL; ++static int ptrace_scope = CONFIG_SECURITY_YAMA_PTRACE_DEFAULT; + + /* describe a ptrace relationship for potential exception */ + struct ptrace_relation { -- 2.4.3