From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Kernel: Enable YAMA support
Date: Wed, 29 Jun 2022 20:09:46 +0000 [thread overview]
Message-ID: <f33549d0-e94f-afd8-0232-6b96bf25eb82@ipfire.org> (raw)
In-Reply-To: <5CF05F78-6831-41B4-94E0-A1044C111BA5@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 3915 bytes --]
Hello Michael,
thank you for reporting this.
Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value
cannot be decreased once it has been set to "3" (one of the few times where Linux seems
to actually show a mature approach to security by default), a reboot is required to apply
the change.
Thanks, and best regards,
Peter Müller
> I believe this stops strace from working. See screenshot.
>
> If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
>
> -Michael
>
>
>
>> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>>
>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>
>>> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>
>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
>>> the upstream rationale. Enabling YAMA gives us the benefit of additional
>>> hardening options available, without any obvious downsides.
>>>
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/kernel/kernel.config.aarch64-ipfire | 2 +-
>>> config/kernel/kernel.config.armv6l-ipfire | 2 +-
>>> config/kernel/kernel.config.riscv64-ipfire | 2 +-
>>> config/kernel/kernel.config.x86_64-ipfire | 2 +-
>>> 4 files changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>> index 6dfeae595..7e63b77ca 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> # CONFIG_SECURITY_LOADPIN is not set
>>> -# CONFIG_SECURITY_YAMA is not set
>>> +CONFIG_SECURITY_YAMA=y
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>> index 1bb745a87..1b6440b11 100644
>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> # CONFIG_SECURITY_LOADPIN is not set
>>> -# CONFIG_SECURITY_YAMA is not set
>>> +CONFIG_SECURITY_YAMA=y
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
>>> index 2d1fdbd28..2d6bb3a2c 100644
>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> # CONFIG_SECURITY_LOADPIN is not set
>>> -# CONFIG_SECURITY_YAMA is not set
>>> +CONFIG_SECURITY_YAMA=y
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>> index b84698235..0efe14c41 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> # CONFIG_SECURITY_LOADPIN is not set
>>> -# CONFIG_SECURITY_YAMA is not set
>>> +CONFIG_SECURITY_YAMA=y
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>> --
>>> 2.35.3
>>
>
>
next parent reply other threads:[~2022-06-29 20:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5CF05F78-6831-41B4-94E0-A1044C111BA5@ipfire.org>
2022-06-29 20:09 ` Peter Müller [this message]
[not found] <947B7555-2C93-4E63-A35D-7D4C4DB86220@ipfire.org>
2022-07-01 8:55 ` Peter Müller
2022-07-01 10:42 ` Michael Tremer
2022-06-11 18:53 Peter Müller
2022-06-13 13:31 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f33549d0-e94f-afd8-0232-6b96bf25eb82@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox