See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 11 Jun 2022, at 19:53, Peter Müller peter.mueller@ipfire.org wrote:
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -- 2.35.3
I believe this stops strace from working. See screenshot.
If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
-Michael
On 13 Jun 2022, at 14:31, Michael Tremer michael.tremer@ipfire.org wrote:
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 11 Jun 2022, at 19:53, Peter Müller peter.mueller@ipfire.org wrote:
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -- 2.35.3
Hello Michael,
thank you for reporting this.
Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value cannot be decreased once it has been set to "3" (one of the few times where Linux seems to actually show a mature approach to security by default), a reboot is required to apply the change.
Thanks, and best regards, Peter Müller
I believe this stops strace from working. See screenshot.
If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
-Michael
On 13 Jun 2022, at 14:31, Michael Tremer michael.tremer@ipfire.org wrote:
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 11 Jun 2022, at 19:53, Peter Müller peter.mueller@ipfire.org wrote:
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -- 2.35.3
Yes, I did figure that one out.
However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting.
Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace().
If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system.
-Michael
On 29 Jun 2022, at 21:09, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thank you for reporting this.
Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value cannot be decreased once it has been set to "3" (one of the few times where Linux seems to actually show a mature approach to security by default), a reboot is required to apply the change.
Thanks, and best regards, Peter Müller
I believe this stops strace from working. See screenshot.
If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
-Michael
On 13 Jun 2022, at 14:31, Michael Tremer michael.tremer@ipfire.org wrote:
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 11 Jun 2022, at 19:53, Peter Müller peter.mueller@ipfire.org wrote:
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -- 2.35.3
Hello Michael,
thanks for you reply.
Yes, I did figure that one out.
However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting.
In this case, this came from the kernel itself - and in my opinion, it makes sense to make this irreversible if ptrace() has been already completely forbidden. I wish more sysctl's would adapt such a "fuse" behaviour...
Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace().
No, I don't think so, it just fell through the cracks on my end when I was implementing this.
If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system.
ACK.
Thanks, and best regards, Peter Müller
-Michael
On 29 Jun 2022, at 21:09, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thank you for reporting this.
Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value cannot be decreased once it has been set to "3" (one of the few times where Linux seems to actually show a mature approach to security by default), a reboot is required to apply the change.
Thanks, and best regards, Peter Müller
I believe this stops strace from working. See screenshot.
If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
-Michael
On 13 Jun 2022, at 14:31, Michael Tremer michael.tremer@ipfire.org wrote:
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 11 Jun 2022, at 19:53, Peter Müller peter.mueller@ipfire.org wrote:
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -- 2.35.3
Hello,
On 1 Jul 2022, at 09:55, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for you reply.
Yes, I did figure that one out. However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting.
In this case, this came from the kernel itself - and in my opinion, it makes sense to make this irreversible if ptrace() has been already completely forbidden. I wish more sysctl's would adapt such a "fuse" behaviour...
I would kind of prefer to configure this at compile time.
Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace().
No, I don't think so, it just fell through the cracks on my end when I was implementing this.
Thank you.
If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system.
ACK.
Thanks, and best regards, Peter Müller
-Michael
On 29 Jun 2022, at 21:09, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thank you for reporting this.
Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value cannot be decreased once it has been set to "3" (one of the few times where Linux seems to actually show a mature approach to security by default), a reboot is required to apply the change.
Thanks, and best regards, Peter Müller
I believe this stops strace from working. See screenshot.
If I remember our conversation correctly, this should have worked for root. Is my assumption correct?
-Michael
On 13 Jun 2022, at 14:31, Michael Tremer michael.tremer@ipfire.org wrote:
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 11 Jun 2022, at 19:53, Peter Müller peter.mueller@ipfire.org wrote:
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -- 2.35.3
-
Michael Tremer -
Peter Müller