Hello, > On 1 Jul 2022, at 09:55, Peter Müller wrote: > > Hello Michael, > > thanks for you reply. > >> Yes, I did figure that one out. >> However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting. > > In this case, this came from the kernel itself - and in my opinion, it makes sense to make this > irreversible if ptrace() has been already completely forbidden. I wish more sysctl's would adapt > such a "fuse" behaviour... I would kind of prefer to configure this at compile time. >> Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace(). > > No, I don't think so, it just fell through the cracks on my end when I was implementing this. Thank you. >> If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system. > > ACK. > > Thanks, and best regards, > Peter Müller > >> -Michael >>> On 29 Jun 2022, at 21:09, Peter Müller wrote: >>> >>> Hello Michael, >>> >>> thank you for reporting this. >>> >>> Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value >>> cannot be decreased once it has been set to "3" (one of the few times where Linux seems >>> to actually show a mature approach to security by default), a reboot is required to apply >>> the change. >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> I believe this stops strace from working. See screenshot. >>>> >>>> If I remember our conversation correctly, this should have worked for root. Is my assumption correct? >>>> >>>> -Michael >>>> >>>> >>>> >>>>> On 13 Jun 2022, at 14:31, Michael Tremer wrote: >>>>> >>>>> Reviewed-by: Michael Tremer >>>>> >>>>>> On 11 Jun 2022, at 19:53, Peter Müller wrote: >>>>>> >>>>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for >>>>>> the upstream rationale. Enabling YAMA gives us the benefit of additional >>>>>> hardening options available, without any obvious downsides. >>>>>> >>>>>> Signed-off-by: Peter Müller >>>>>> --- >>>>>> config/kernel/kernel.config.aarch64-ipfire | 2 +- >>>>>> config/kernel/kernel.config.armv6l-ipfire | 2 +- >>>>>> config/kernel/kernel.config.riscv64-ipfire | 2 +- >>>>>> config/kernel/kernel.config.x86_64-ipfire | 2 +- >>>>>> 4 files changed, 4 insertions(+), 4 deletions(-) >>>>>> >>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire >>>>>> index 6dfeae595..7e63b77ca 100644 >>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire >>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>>>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=y >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire >>>>>> index 1bb745a87..1b6440b11 100644 >>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire >>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>>>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=y >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire >>>>>> index 2d1fdbd28..2d6bb3a2c 100644 >>>>>> --- a/config/kernel/kernel.config.riscv64-ipfire >>>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>>>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=y >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>>>>> index b84698235..0efe14c41 100644 >>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=y >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>>> -- >>>>>> 2.35.3 >>>>> >>>> >>>>