From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] Kernel: Enable YAMA support Date: Fri, 01 Jul 2022 11:42:26 +0100 Message-ID: In-Reply-To: <9b4ca1fb-75a1-64a9-e067-ce5f775672d6@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1868988094330484969==" List-Id: --===============1868988094330484969== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 1 Jul 2022, at 09:55, Peter M=C3=BCller wro= te: >=20 > Hello Michael, >=20 > thanks for you reply. >=20 >> Yes, I did figure that one out. >> However, I disagree with making debugging that difficult. Anything that is= running in production cannot be easily rebooted to just change a sysctl sett= ing. >=20 > In this case, this came from the kernel itself - and in my opinion, it make= s sense to make this > irreversible if ptrace() has been already completely forbidden. I wish more= sysctl's would adapt > such a "fuse" behaviour... I would kind of prefer to configure this at compile time. >> Is there any harm in setting it to 2? I understand it that only root is al= lowed to perform ptrace(). >=20 > No, I don't think so, it just fell through the cracks on my end when I was = implementing this. Thank you. >> If an attacker has already gained root privileges I do not consider this a= large benefit to further exploit the system. >=20 > ACK. >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >> -Michael >>> On 29 Jun 2022, at 21:09, Peter M=C3=BCller = wrote: >>>=20 >>> Hello Michael, >>>=20 >>> thank you for reporting this. >>>=20 >>> Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As th= e sysctl value >>> cannot be decreased once it has been set to "3" (one of the few times whe= re Linux seems >>> to actually show a mature approach to security by default), a reboot is r= equired to apply >>> the change. >>>=20 >>> Thanks, and best regards, >>> Peter M=C3=BCller >>>=20 >>>=20 >>>> I believe this stops strace from working. See screenshot. >>>>=20 >>>> If I remember our conversation correctly, this should have worked for ro= ot. Is my assumption correct? >>>>=20 >>>> -Michael >>>>=20 >>>>=20 >>>>=20 >>>>> On 13 Jun 2022, at 14:31, Michael Tremer = wrote: >>>>>=20 >>>>> Reviewed-by: Michael Tremer >>>>>=20 >>>>>> On 11 Jun 2022, at 19:53, Peter M=C3=BCller wrote: >>>>>>=20 >>>>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html f= or >>>>>> the upstream rationale. Enabling YAMA gives us the benefit of addition= al >>>>>> hardening options available, without any obvious downsides. >>>>>>=20 >>>>>> Signed-off-by: Peter M=C3=BCller >>>>>> --- >>>>>> config/kernel/kernel.config.aarch64-ipfire | 2 +- >>>>>> config/kernel/kernel.config.armv6l-ipfire | 2 +- >>>>>> config/kernel/kernel.config.riscv64-ipfire | 2 +- >>>>>> config/kernel/kernel.config.x86_64-ipfire | 2 +- >>>>>> 4 files changed, 4 insertions(+), 4 deletions(-) >>>>>>=20 >>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kerne= l/kernel.config.aarch64-ipfire >>>>>> index 6dfeae595..7e63b77ca 100644 >>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire >>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>>>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=3Dy >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=3Dy >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=3Dy >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy >>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel= /kernel.config.armv6l-ipfire >>>>>> index 1bb745a87..1b6440b11 100644 >>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire >>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>>>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=3Dy >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=3Dy >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=3Dy >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy >>>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kerne= l/kernel.config.riscv64-ipfire >>>>>> index 2d1fdbd28..2d6bb3a2c 100644 >>>>>> --- a/config/kernel/kernel.config.riscv64-ipfire >>>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>>>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=3Dy >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=3Dy >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=3Dy >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy >>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel= /kernel.config.x86_64-ipfire >>>>>> index b84698235..0efe14c41 100644 >>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=3Dy >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=3Dy >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=3Dy >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy >>>>>> --=20 >>>>>> 2.35.3 >>>>>=20 >>>>=20 >>>>=20 --===============1868988094330484969==--