Re: [PATCH] Kernel: Enable YAMA support

Re: [PATCH] Kernel: Enable YAMA support

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3915 bytes --]

Hello Michael,

thank you for reporting this.

Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value
cannot be decreased once it has been set to "3" (one of the few times where Linux seems
to actually show a mature approach to security by default), a reboot is required to apply
the change.

Thanks, and best regards,
Peter Müller


> I believe this stops strace from working. See screenshot.
> 
> If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
> 
> -Michael
> 
> 
> 
>> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>>
>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>
>>> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>
>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
>>> the upstream rationale. Enabling YAMA gives us the benefit of additional
>>> hardening options available, without any obvious downsides.
>>>
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/kernel/kernel.config.aarch64-ipfire | 2 +-
>>> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
>>> config/kernel/kernel.config.riscv64-ipfire | 2 +-
>>> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
>>> 4 files changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>> index 6dfeae595..7e63b77ca 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> # CONFIG_SECURITY_LOADPIN is not set
>>> -# CONFIG_SECURITY_YAMA is not set
>>> +CONFIG_SECURITY_YAMA=y
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>> index 1bb745a87..1b6440b11 100644
>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> # CONFIG_SECURITY_LOADPIN is not set
>>> -# CONFIG_SECURITY_YAMA is not set
>>> +CONFIG_SECURITY_YAMA=y
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
>>> index 2d1fdbd28..2d6bb3a2c 100644
>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> # CONFIG_SECURITY_LOADPIN is not set
>>> -# CONFIG_SECURITY_YAMA is not set
>>> +CONFIG_SECURITY_YAMA=y
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>> index b84698235..0efe14c41 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> # CONFIG_SECURITY_LOADPIN is not set
>>> -# CONFIG_SECURITY_YAMA is not set
>>> +CONFIG_SECURITY_YAMA=y
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>> -- 
>>> 2.35.3
>>
> 
> 

Re: [PATCH] Kernel: Enable YAMA support

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5371 bytes --]

Hello,

> On 1 Jul 2022, at 09:55, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for you reply.
> 
>> Yes, I did figure that one out.
>> However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting.
> 
> In this case, this came from the kernel itself - and in my opinion, it makes sense to make this
> irreversible if ptrace() has been already completely forbidden. I wish more sysctl's would adapt
> such a "fuse" behaviour...

I would kind of prefer to configure this at compile time.

>> Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace().
> 
> No, I don't think so, it just fell through the cracks on my end when I was implementing this.

Thank you.

>> If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system.
> 
> ACK.
> 
> Thanks, and best regards,
> Peter Müller
> 
>> -Michael
>>> On 29 Jun 2022, at 21:09, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> Hello Michael,
>>> 
>>> thank you for reporting this.
>>> 
>>> Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value
>>> cannot be decreased once it has been set to "3" (one of the few times where Linux seems
>>> to actually show a mature approach to security by default), a reboot is required to apply
>>> the change.
>>> 
>>> Thanks, and best regards,
>>> Peter Müller
>>> 
>>> 
>>>> I believe this stops strace from working. See screenshot.
>>>> 
>>>> If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
>>>> 
>>>> -Michael
>>>> 
>>>> 
>>>> 
>>>>> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>>>>> 
>>>>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>> 
>>>>>> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>>> 
>>>>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
>>>>>> the upstream rationale. Enabling YAMA gives us the benefit of additional
>>>>>> hardening options available, without any obvious downsides.
>>>>>> 
>>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>>> ---
>>>>>> config/kernel/kernel.config.aarch64-ipfire | 2 +-
>>>>>> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
>>>>>> config/kernel/kernel.config.riscv64-ipfire | 2 +-
>>>>>> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
>>>>>> 4 files changed, 4 insertions(+), 4 deletions(-)
>>>>>> 
>>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>>>>> index 6dfeae595..7e63b77ca 100644
>>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y
>>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>>> +CONFIG_SECURITY_YAMA=y
>>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>>>>> index 1bb745a87..1b6440b11 100644
>>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>>> +CONFIG_SECURITY_YAMA=y
>>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
>>>>>> index 2d1fdbd28..2d6bb3a2c 100644
>>>>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>>>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y
>>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>>> +CONFIG_SECURITY_YAMA=y
>>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>>>>> index b84698235..0efe14c41 100644
>>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
>>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>>> +CONFIG_SECURITY_YAMA=y
>>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>>>>> -- 
>>>>>> 2.35.3
>>>>> 
>>>> 
>>>> 

Re: [PATCH] Kernel: Enable YAMA support

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 5064 bytes --]

Hello Michael,

thanks for you reply.

> Yes, I did figure that one out.
> 
> However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting.

In this case, this came from the kernel itself - and in my opinion, it makes sense to make this
irreversible if ptrace() has been already completely forbidden. I wish more sysctl's would adapt
such a "fuse" behaviour...

> Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace().

No, I don't think so, it just fell through the cracks on my end when I was implementing this.

> If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system.

ACK.

Thanks, and best regards,
Peter Müller

> 
> -Michael
> 
>> On 29 Jun 2022, at 21:09, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Hello Michael,
>>
>> thank you for reporting this.
>>
>> Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value
>> cannot be decreased once it has been set to "3" (one of the few times where Linux seems
>> to actually show a mature approach to security by default), a reboot is required to apply
>> the change.
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> I believe this stops strace from working. See screenshot.
>>>
>>> If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
>>>
>>> -Michael
>>>
>>>
>>>
>>>> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>>>>
>>>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>
>>>>> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>>
>>>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
>>>>> the upstream rationale. Enabling YAMA gives us the benefit of additional
>>>>> hardening options available, without any obvious downsides.
>>>>>
>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>> ---
>>>>> config/kernel/kernel.config.aarch64-ipfire | 2 +-
>>>>> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
>>>>> config/kernel/kernel.config.riscv64-ipfire | 2 +-
>>>>> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
>>>>> 4 files changed, 4 insertions(+), 4 deletions(-)
>>>>>
>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>>>> index 6dfeae595..7e63b77ca 100644
>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y
>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>> +CONFIG_SECURITY_YAMA=y
>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>>>> index 1bb745a87..1b6440b11 100644
>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>> +CONFIG_SECURITY_YAMA=y
>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
>>>>> index 2d1fdbd28..2d6bb3a2c 100644
>>>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y
>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>> +CONFIG_SECURITY_YAMA=y
>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>>>> index b84698235..0efe14c41 100644
>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
>>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>>> # CONFIG_SECURITY_LOADPIN is not set
>>>>> -# CONFIG_SECURITY_YAMA is not set
>>>>> +CONFIG_SECURITY_YAMA=y
>>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y
>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>>>>> -- 
>>>>> 2.35.3
>>>>
>>>
>>>
> 

Re: [PATCH] Kernel: Enable YAMA support

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3102 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
> the upstream rationale. Enabling YAMA gives us the benefit of additional
> hardening options available, without any obvious downsides.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 6dfeae595..7e63b77ca 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> # CONFIG_SECURITY_LOADPIN is not set
> -# CONFIG_SECURITY_YAMA is not set
> +CONFIG_SECURITY_YAMA=y
> # CONFIG_SECURITY_SAFESETID is not set
> CONFIG_SECURITY_LOCKDOWN_LSM=y
> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 1bb745a87..1b6440b11 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> # CONFIG_SECURITY_LOADPIN is not set
> -# CONFIG_SECURITY_YAMA is not set
> +CONFIG_SECURITY_YAMA=y
> # CONFIG_SECURITY_SAFESETID is not set
> CONFIG_SECURITY_LOCKDOWN_LSM=y
> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index 2d1fdbd28..2d6bb3a2c 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> # CONFIG_SECURITY_LOADPIN is not set
> -# CONFIG_SECURITY_YAMA is not set
> +CONFIG_SECURITY_YAMA=y
> # CONFIG_SECURITY_SAFESETID is not set
> CONFIG_SECURITY_LOCKDOWN_LSM=y
> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index b84698235..0efe14c41 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> # CONFIG_SECURITY_LOADPIN is not set
> -# CONFIG_SECURITY_YAMA is not set
> +CONFIG_SECURITY_YAMA=y
> # CONFIG_SECURITY_SAFESETID is not set
> CONFIG_SECURITY_LOCKDOWN_LSM=y
> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> -- 
> 2.35.3

[PATCH] Kernel: Enable YAMA support

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2853 bytes --]

See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
the upstream rationale. Enabling YAMA gives us the benefit of additional
hardening options available, without any obvious downsides.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 6dfeae595..7e63b77ca 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 1bb745a87..1b6440b11 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 2d1fdbd28..2d6bb3a2c 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b84698235..0efe14c41 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-- 
2.35.3