From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Kernel: Enable YAMA support
Date: Fri, 01 Jul 2022 08:55:09 +0000
Message-ID: <9b4ca1fb-75a1-64a9-e067-ce5f775672d6@ipfire.org>
In-Reply-To: <947B7555-2C93-4E63-A35D-7D4C4DB86220@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4878152899456892153=="
List-Id: <development.lists.ipfire.org>

--===============4878152899456892153==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

thanks for you reply.

> Yes, I did figure that one out.
>=20
> However, I disagree with making debugging that difficult. Anything that is =
running in production cannot be easily rebooted to just change a sysctl setti=
ng.

In this case, this came from the kernel itself - and in my opinion, it makes =
sense to make this
irreversible if ptrace() has been already completely forbidden. I wish more s=
ysctl's would adapt
such a "fuse" behaviour...

> Is there any harm in setting it to 2? I understand it that only root is all=
owed to perform ptrace().

No, I don't think so, it just fell through the cracks on my end when I was im=
plementing this.

> If an attacker has already gained root privileges I do not consider this a =
large benefit to further exploit the system.

ACK.

Thanks, and best regards,
Peter M=C3=BCller

>=20
> -Michael
>=20
>> On 29 Jun 2022, at 21:09, Peter M=C3=BCller <peter.mueller(a)ipfire.org> w=
rote:
>>
>> Hello Michael,
>>
>> thank you for reporting this.
>>
>> Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the=
 sysctl value
>> cannot be decreased once it has been set to "3" (one of the few times wher=
e Linux seems
>> to actually show a mature approach to security by default), a reboot is re=
quired to apply
>> the change.
>>
>> Thanks, and best regards,
>> Peter M=C3=BCller
>>
>>
>>> I believe this stops strace from working. See screenshot.
>>>
>>> If I remember our conversation correctly, this should have worked for roo=
t. Is my assumption correct?
>>>
>>> -Michael
>>>
>>>
>>>
>>>> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer(a)ipfire.org> w=
rote:
>>>>
>>>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>
>>>>> On 11 Jun 2022, at 19:53, Peter M=C3=BCller <peter.mueller(a)ipfire.org=
> wrote:
>>>>>
>>>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
>>>>> the upstream rationale. Enabling YAMA gives us the benefit of additional
>>>>> hardening options available, without any obvious downsides.
>>>>>
>>>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>>>> ---
>>>>> config/kernel/kernel.config.aarch64-ipfire | 2 +-
>>>>> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
>>>>> config/kernel/kernel.config.riscv64-ipfire | 2 +-
>>>>> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
>>>>> 4 files changed, 4 insertions(+), 4 deletions(-)
>>>>>
>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel=
/kernel.config.aarch64-ipfire
>>>>> index 6dfeae595..7e63b77ca 100644
>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=3Dy
>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>> +CONFIG_SECURITY_YAMA=3Dy
>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=3Dy
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy
>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/=
kernel.config.armv6l-ipfire
>>>>> index 1bb745a87..1b6440b11 100644
>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=3Dy
>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>> +CONFIG_SECURITY_YAMA=3Dy
>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=3Dy
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy
>>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel=
/kernel.config.riscv64-ipfire
>>>>> index 2d1fdbd28..2d6bb3a2c 100644
>>>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=3Dy
>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>> +CONFIG_SECURITY_YAMA=3Dy
>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=3Dy
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy
>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/=
kernel.config.x86_64-ipfire
>>>>> index b84698235..0efe14c41 100644
>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=3Dy
>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>> +CONFIG_SECURITY_YAMA=3Dy
>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=3Dy
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy
>>>>> --=20
>>>>> 2.35.3
>>>>
>>>
>>>
>=20

--===============4878152899456892153==--