FS#36846 - [linux] enable CONFIG_SECURITY_YAMA

Attached to Project: Arch Linux
Opened by Travis Kendrick (pouar) - Monday, 09 September 2013, 23:52 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Friday, 31 January 2014, 12:42 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas Bächler (brain0)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

yama is a new security module introduced in 3.4 which has the ability to restrict ptrace, which could prevent some malware from running. Could you enable it
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Friday, 31 January 2014, 12:42 GMT
Reason for closing:  Implemented
Comment by Travis Kendrick (pouar) - Saturday, 21 September 2013, 06:16 GMT
  • Field changed: Percent Complete (100% → 0%)
I found out that at least part of yama is enabled even if CONFIG_DEFAULT_SECURITY_YAMA is not set. you can disable this part with "sysctl kernel.yama.ptrace_scope=0" which disables restricting ptrace to child proccesses, this restriction is what makes yama so secure. or add the binary you want to use ptrace with by running "setcap cap_sys_ptrace=eip /path/to/program/to/whitelist" as root.
Comment by Tobias Powalowski (tpowa) - Saturday, 21 September 2013, 06:17 GMT
So what do you want from me?
Comment by Travis Kendrick (pouar) - Saturday, 21 September 2013, 15:49 GMT
just thought you might need to know in case anyone had any trouble. I couldn't exactly comment on a closed bug report, or could the forums be a better place for this?
Comment by Tobias Powalowski (tpowa) - Sunday, 22 September 2013, 11:42 GMT
So closing this again.
Comment by Vladislav Guberinic (neosisani) - Tuesday, 24 December 2013, 14:46 GMT
  • Field changed: Percent Complete (100% → 0%)
Having yama enabled makes some really useful stuff not work.

Common debugging situtaion is:

./someProgram &
ps ax | grep someProgram
gdb attach pid

This will not work unless I become root to attach to process which I'm trying to debug or I manually disable yama.
Comment by Travis Kendrick (pouar) - Tuesday, 24 December 2013, 19:14 GMT
you could add "kernel.yama.ptrace_scope = 0" to "/etc/sysctl.d/99-sysctl.conf" to disable it altogether at boot
or use "sysctl kernel.yama.ptrace_scope=0" to disable it temporarily, or maybe use "setcap cap_sys_ptrace=eip /usr/bin/gdb"
Comment by Vladislav Guberinic (neosisani) - Tuesday, 24 December 2013, 20:05 GMT
Travis, I could do that. Sysctl would work perfectly. I'm not sure how setcap works in much detail.

What worries me is that people (eg. students) will install gdb for the first time and then get unexpected behaviour of debugger not working as advertised and give up.

Could we make it somehow that when gdb is installed it automatically either disables yama or does setcap magic?
Comment by Travis Kendrick (pouar) - Tuesday, 24 December 2013, 20:33 GMT
I think a warning appearing from the install script telling the user about this when installing or updating gdb is a good idea. I'm not sure I would want it to disable yama every single gdb update, because then I would have to re-enable it every single update.
Comment by Thomas Bächler (brain0) - Wednesday, 25 December 2013, 22:39 GMT
As long as such unexpected behaviour is enabled by default, this option will not be enabled.
Comment by Travis Kendrick (pouar) - Thursday, 26 December 2013, 05:15 GMT
maybe include "kernel.yama.ptrace_scope = 0" in a config file somewhere in /etc/sysctl.d in the package by default but add it to backup in the pkgbuild as well, this will disable all this to avoid any unexpected problems yama can cause but won't re-disable it after every upgrade if someone chooses to enable it.
Comment by Vladislav Guberinic (neosisani) - Sunday, 19 January 2014, 03:57 GMT
Can we revert the change which enabled this while we ponder what should be done with yama?
Comment by Travis Kendrick (pouar) - Sunday, 19 January 2014, 13:32 GMT
I guess
Comment by Leonid Isaev (lisaev) - Tuesday, 28 January 2014, 19:41 GMT
What is the point of this discussion and waht exactly needs to be changed? Currently:
* CONFIG_DEFAULT_SECURITY_YAMA is not set and by defualt /proc/sys/kernel/yama/ptrace_scope is 0, so yama is disabled by default.
* Yama can be enforced by setting the above sysctl parameter to 1, 2 or 3.

So, I'd close this bugreport...
Comment by Travis Kendrick (pouar) - Tuesday, 28 January 2014, 22:16 GMT
@lisaev

I probably would too.
Comment by Vladislav Guberinic (neosisani) - Friday, 31 January 2014, 12:42 GMT
  • Field changed: Percent Complete (100% → 0%)
This is set in .config files for kernel:

CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_YAMA_STACKED=y

In /usr/lib/modules/3.13.0-2-ARCH/build/.config
(also fonud at) https://projects.archlinux.org/svntogit/packages.git/tree/trunk/config.x86_64?h=packages/linux

Please reopen again and fix this.

Loading...