Message ID | 3c36dd77-0929-7134-7627-a3bf365cb22d@ipfire.org |
---|---|
State | Accepted |
Commit | 9b28e9d02be9c0e0c488434cfd731d47bb227838 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LL6RN4z2mz3x1x for <patchwork@web04.haj.ipfire.org>; Sat, 11 Jun 2022 18:53:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LL6RL6zL7zy6; Sat, 11 Jun 2022 18:53:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LL6RL64klz2ycs; Sat, 11 Jun 2022 18:53:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LL6RK0d1nz2xQw for <development@lists.ipfire.org>; Sat, 11 Jun 2022 18:53:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4LL6RH6NjCz15 for <development@lists.ipfire.org>; Sat, 11 Jun 2022 18:53:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1654973596; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MkyJorG44sRU4KzhpOjWPjS4yFuNBroi/a9xxQ5a0ko=; b=s4GUZzm7PVTY+wQ4TLINSMjReDoGAIYTaerxaR09hhUg7TkuSAx0t/VUwwYgemMrc2xiem loXSGJXPZtR5EkDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1654973596; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MkyJorG44sRU4KzhpOjWPjS4yFuNBroi/a9xxQ5a0ko=; b=KxA1xmSZYVTQ/8hM28RS+4cyZxwVteiIcqTJYPX3r8r9GRP85Fr3U2vur5fkDtVIThVi1Z lx8QIYau8hwluy8G3AhZ/lPR7AyMh+ZdHPd/Vo48mi8NM71CaVhZIbur0UPICBDTUgvgNU i4paOBLqJC2QnoQxfYlvWacG7lv0E/x/ZZLHIMsfiQseHGQzvuEcsfSUfEoR0tdsQfxu7o qsGND9uvza/pLvw8Xa7SMzPV8EkT7gc90UtOCIpZeKZxeXMotKFZ/oBiTaHX3ehDm/Nweh B8ipMTOogtssuyLfVczGsXgupj0/sDFVyJB0HP2H27sUjpCpIyhB5bRm1wzCXw== Message-ID: <3c36dd77-0929-7134-7627-a3bf365cb22d@ipfire.org> Date: Sat, 11 Jun 2022 18:53:10 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] Kernel: Enable YAMA support Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
Kernel: Enable YAMA support
|
|
Commit Message
Peter Müller
June 11, 2022, 6:53 p.m. UTC
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
the upstream rationale. Enabling YAMA gives us the benefit of additional
hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.armv6l-ipfire | 2 +-
config/kernel/kernel.config.riscv64-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller@ipfire.org> wrote: > > See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for > the upstream rationale. Enabling YAMA gives us the benefit of additional > hardening options available, without any obvious downsides. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/kernel/kernel.config.aarch64-ipfire | 2 +- > config/kernel/kernel.config.armv6l-ipfire | 2 +- > config/kernel/kernel.config.riscv64-ipfire | 2 +- > config/kernel/kernel.config.x86_64-ipfire | 2 +- > 4 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire > index 6dfeae595..7e63b77ca 100644 > --- a/config/kernel/kernel.config.aarch64-ipfire > +++ b/config/kernel/kernel.config.aarch64-ipfire > @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > # CONFIG_SECURITY_LOADPIN is not set > -# CONFIG_SECURITY_YAMA is not set > +CONFIG_SECURITY_YAMA=y > # CONFIG_SECURITY_SAFESETID is not set > CONFIG_SECURITY_LOCKDOWN_LSM=y > CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire > index 1bb745a87..1b6440b11 100644 > --- a/config/kernel/kernel.config.armv6l-ipfire > +++ b/config/kernel/kernel.config.armv6l-ipfire > @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > # CONFIG_SECURITY_LOADPIN is not set > -# CONFIG_SECURITY_YAMA is not set > +CONFIG_SECURITY_YAMA=y > # CONFIG_SECURITY_SAFESETID is not set > CONFIG_SECURITY_LOCKDOWN_LSM=y > CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire > index 2d1fdbd28..2d6bb3a2c 100644 > --- a/config/kernel/kernel.config.riscv64-ipfire > +++ b/config/kernel/kernel.config.riscv64-ipfire > @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > # CONFIG_SECURITY_LOADPIN is not set > -# CONFIG_SECURITY_YAMA is not set > +CONFIG_SECURITY_YAMA=y > # CONFIG_SECURITY_SAFESETID is not set > CONFIG_SECURITY_LOCKDOWN_LSM=y > CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire > index b84698235..0efe14c41 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > # CONFIG_SECURITY_LOADPIN is not set > -# CONFIG_SECURITY_YAMA is not set > +CONFIG_SECURITY_YAMA=y > # CONFIG_SECURITY_SAFESETID is not set > CONFIG_SECURITY_LOCKDOWN_LSM=y > CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > -- > 2.35.3
I believe this stops strace from working. See screenshot. If I remember our conversation correctly, this should have worked for root. Is my assumption correct? -Michael > On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer@ipfire.org> wrote: > > Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > >> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for >> the upstream rationale. Enabling YAMA gives us the benefit of additional >> hardening options available, without any obvious downsides. >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/kernel/kernel.config.aarch64-ipfire | 2 +- >> config/kernel/kernel.config.armv6l-ipfire | 2 +- >> config/kernel/kernel.config.riscv64-ipfire | 2 +- >> config/kernel/kernel.config.x86_64-ipfire | 2 +- >> 4 files changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire >> index 6dfeae595..7e63b77ca 100644 >> --- a/config/kernel/kernel.config.aarch64-ipfire >> +++ b/config/kernel/kernel.config.aarch64-ipfire >> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> # CONFIG_SECURITY_LOADPIN is not set >> -# CONFIG_SECURITY_YAMA is not set >> +CONFIG_SECURITY_YAMA=y >> # CONFIG_SECURITY_SAFESETID is not set >> CONFIG_SECURITY_LOCKDOWN_LSM=y >> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire >> index 1bb745a87..1b6440b11 100644 >> --- a/config/kernel/kernel.config.armv6l-ipfire >> +++ b/config/kernel/kernel.config.armv6l-ipfire >> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> # CONFIG_SECURITY_LOADPIN is not set >> -# CONFIG_SECURITY_YAMA is not set >> +CONFIG_SECURITY_YAMA=y >> # CONFIG_SECURITY_SAFESETID is not set >> CONFIG_SECURITY_LOCKDOWN_LSM=y >> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire >> index 2d1fdbd28..2d6bb3a2c 100644 >> --- a/config/kernel/kernel.config.riscv64-ipfire >> +++ b/config/kernel/kernel.config.riscv64-ipfire >> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> # CONFIG_SECURITY_LOADPIN is not set >> -# CONFIG_SECURITY_YAMA is not set >> +CONFIG_SECURITY_YAMA=y >> # CONFIG_SECURITY_SAFESETID is not set >> CONFIG_SECURITY_LOCKDOWN_LSM=y >> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >> index b84698235..0efe14c41 100644 >> --- a/config/kernel/kernel.config.x86_64-ipfire >> +++ b/config/kernel/kernel.config.x86_64-ipfire >> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> # CONFIG_SECURITY_LOADPIN is not set >> -# CONFIG_SECURITY_YAMA is not set >> +CONFIG_SECURITY_YAMA=y >> # CONFIG_SECURITY_SAFESETID is not set >> CONFIG_SECURITY_LOCKDOWN_LSM=y >> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >> -- >> 2.35.3 >
Hello Michael, thank you for reporting this. Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value cannot be decreased once it has been set to "3" (one of the few times where Linux seems to actually show a mature approach to security by default), a reboot is required to apply the change. Thanks, and best regards, Peter Müller > I believe this stops strace from working. See screenshot. > > If I remember our conversation correctly, this should have worked for root. Is my assumption correct? > > -Michael > > > >> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer@ipfire.org> wrote: >> >> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> >> >>> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for >>> the upstream rationale. Enabling YAMA gives us the benefit of additional >>> hardening options available, without any obvious downsides. >>> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> config/kernel/kernel.config.aarch64-ipfire | 2 +- >>> config/kernel/kernel.config.armv6l-ipfire | 2 +- >>> config/kernel/kernel.config.riscv64-ipfire | 2 +- >>> config/kernel/kernel.config.x86_64-ipfire | 2 +- >>> 4 files changed, 4 insertions(+), 4 deletions(-) >>> >>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire >>> index 6dfeae595..7e63b77ca 100644 >>> --- a/config/kernel/kernel.config.aarch64-ipfire >>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> # CONFIG_SECURITY_LOADPIN is not set >>> -# CONFIG_SECURITY_YAMA is not set >>> +CONFIG_SECURITY_YAMA=y >>> # CONFIG_SECURITY_SAFESETID is not set >>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire >>> index 1bb745a87..1b6440b11 100644 >>> --- a/config/kernel/kernel.config.armv6l-ipfire >>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> # CONFIG_SECURITY_LOADPIN is not set >>> -# CONFIG_SECURITY_YAMA is not set >>> +CONFIG_SECURITY_YAMA=y >>> # CONFIG_SECURITY_SAFESETID is not set >>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire >>> index 2d1fdbd28..2d6bb3a2c 100644 >>> --- a/config/kernel/kernel.config.riscv64-ipfire >>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> # CONFIG_SECURITY_LOADPIN is not set >>> -# CONFIG_SECURITY_YAMA is not set >>> +CONFIG_SECURITY_YAMA=y >>> # CONFIG_SECURITY_SAFESETID is not set >>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>> index b84698235..0efe14c41 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> # CONFIG_SECURITY_LOADPIN is not set >>> -# CONFIG_SECURITY_YAMA is not set >>> +CONFIG_SECURITY_YAMA=y >>> # CONFIG_SECURITY_SAFESETID is not set >>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>> -- >>> 2.35.3 >> > >
Yes, I did figure that one out. However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting. Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace(). If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system. -Michael > On 29 Jun 2022, at 21:09, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thank you for reporting this. > > Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value > cannot be decreased once it has been set to "3" (one of the few times where Linux seems > to actually show a mature approach to security by default), a reboot is required to apply > the change. > > Thanks, and best regards, > Peter Müller > > >> I believe this stops strace from working. See screenshot. >> >> If I remember our conversation correctly, this should have worked for root. Is my assumption correct? >> >> -Michael >> >> >> >>> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer@ipfire.org> wrote: >>> >>> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> >>> >>>> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller@ipfire.org> wrote: >>>> >>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for >>>> the upstream rationale. Enabling YAMA gives us the benefit of additional >>>> hardening options available, without any obvious downsides. >>>> >>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>> --- >>>> config/kernel/kernel.config.aarch64-ipfire | 2 +- >>>> config/kernel/kernel.config.armv6l-ipfire | 2 +- >>>> config/kernel/kernel.config.riscv64-ipfire | 2 +- >>>> config/kernel/kernel.config.x86_64-ipfire | 2 +- >>>> 4 files changed, 4 insertions(+), 4 deletions(-) >>>> >>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire >>>> index 6dfeae595..7e63b77ca 100644 >>>> --- a/config/kernel/kernel.config.aarch64-ipfire >>>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y >>>> # CONFIG_SECURITY_TOMOYO is not set >>>> # CONFIG_SECURITY_APPARMOR is not set >>>> # CONFIG_SECURITY_LOADPIN is not set >>>> -# CONFIG_SECURITY_YAMA is not set >>>> +CONFIG_SECURITY_YAMA=y >>>> # CONFIG_SECURITY_SAFESETID is not set >>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire >>>> index 1bb745a87..1b6440b11 100644 >>>> --- a/config/kernel/kernel.config.armv6l-ipfire >>>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >>>> # CONFIG_SECURITY_TOMOYO is not set >>>> # CONFIG_SECURITY_APPARMOR is not set >>>> # CONFIG_SECURITY_LOADPIN is not set >>>> -# CONFIG_SECURITY_YAMA is not set >>>> +CONFIG_SECURITY_YAMA=y >>>> # CONFIG_SECURITY_SAFESETID is not set >>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire >>>> index 2d1fdbd28..2d6bb3a2c 100644 >>>> --- a/config/kernel/kernel.config.riscv64-ipfire >>>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y >>>> # CONFIG_SECURITY_TOMOYO is not set >>>> # CONFIG_SECURITY_APPARMOR is not set >>>> # CONFIG_SECURITY_LOADPIN is not set >>>> -# CONFIG_SECURITY_YAMA is not set >>>> +CONFIG_SECURITY_YAMA=y >>>> # CONFIG_SECURITY_SAFESETID is not set >>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>>> index b84698235..0efe14c41 100644 >>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y >>>> # CONFIG_SECURITY_TOMOYO is not set >>>> # CONFIG_SECURITY_APPARMOR is not set >>>> # CONFIG_SECURITY_LOADPIN is not set >>>> -# CONFIG_SECURITY_YAMA is not set >>>> +CONFIG_SECURITY_YAMA=y >>>> # CONFIG_SECURITY_SAFESETID is not set >>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>> -- >>>> 2.35.3 >>> >> >>
Hello Michael, thanks for you reply. > Yes, I did figure that one out. > > However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting. In this case, this came from the kernel itself - and in my opinion, it makes sense to make this irreversible if ptrace() has been already completely forbidden. I wish more sysctl's would adapt such a "fuse" behaviour... > Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace(). No, I don't think so, it just fell through the cracks on my end when I was implementing this. > If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system. ACK. Thanks, and best regards, Peter Müller > > -Michael > >> On 29 Jun 2022, at 21:09, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello Michael, >> >> thank you for reporting this. >> >> Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value >> cannot be decreased once it has been set to "3" (one of the few times where Linux seems >> to actually show a mature approach to security by default), a reboot is required to apply >> the change. >> >> Thanks, and best regards, >> Peter Müller >> >> >>> I believe this stops strace from working. See screenshot. >>> >>> If I remember our conversation correctly, this should have worked for root. Is my assumption correct? >>> >>> -Michael >>> >>> >>> >>>> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer@ipfire.org> wrote: >>>> >>>> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> >>>> >>>>> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller@ipfire.org> wrote: >>>>> >>>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for >>>>> the upstream rationale. Enabling YAMA gives us the benefit of additional >>>>> hardening options available, without any obvious downsides. >>>>> >>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>>> --- >>>>> config/kernel/kernel.config.aarch64-ipfire | 2 +- >>>>> config/kernel/kernel.config.armv6l-ipfire | 2 +- >>>>> config/kernel/kernel.config.riscv64-ipfire | 2 +- >>>>> config/kernel/kernel.config.x86_64-ipfire | 2 +- >>>>> 4 files changed, 4 insertions(+), 4 deletions(-) >>>>> >>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire >>>>> index 6dfeae595..7e63b77ca 100644 >>>>> --- a/config/kernel/kernel.config.aarch64-ipfire >>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>> -# CONFIG_SECURITY_YAMA is not set >>>>> +CONFIG_SECURITY_YAMA=y >>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire >>>>> index 1bb745a87..1b6440b11 100644 >>>>> --- a/config/kernel/kernel.config.armv6l-ipfire >>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>> -# CONFIG_SECURITY_YAMA is not set >>>>> +CONFIG_SECURITY_YAMA=y >>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire >>>>> index 2d1fdbd28..2d6bb3a2c 100644 >>>>> --- a/config/kernel/kernel.config.riscv64-ipfire >>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>> -# CONFIG_SECURITY_YAMA is not set >>>>> +CONFIG_SECURITY_YAMA=y >>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>>>> index b84698235..0efe14c41 100644 >>>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>> -# CONFIG_SECURITY_YAMA is not set >>>>> +CONFIG_SECURITY_YAMA=y >>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>> -- >>>>> 2.35.3 >>>> >>> >>> >
Hello, > On 1 Jul 2022, at 09:55, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thanks for you reply. > >> Yes, I did figure that one out. >> However, I disagree with making debugging that difficult. Anything that is running in production cannot be easily rebooted to just change a sysctl setting. > > In this case, this came from the kernel itself - and in my opinion, it makes sense to make this > irreversible if ptrace() has been already completely forbidden. I wish more sysctl's would adapt > such a "fuse" behaviour... I would kind of prefer to configure this at compile time. >> Is there any harm in setting it to 2? I understand it that only root is allowed to perform ptrace(). > > No, I don't think so, it just fell through the cracks on my end when I was implementing this. Thank you. >> If an attacker has already gained root privileges I do not consider this a large benefit to further exploit the system. > > ACK. > > Thanks, and best regards, > Peter Müller > >> -Michael >>> On 29 Jun 2022, at 21:09, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Hello Michael, >>> >>> thank you for reporting this. >>> >>> Commit 5086ed681da4784474f0f71aaa70ec1d4940897c resolves the issue. As the sysctl value >>> cannot be decreased once it has been set to "3" (one of the few times where Linux seems >>> to actually show a mature approach to security by default), a reboot is required to apply >>> the change. >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> I believe this stops strace from working. See screenshot. >>>> >>>> If I remember our conversation correctly, this should have worked for root. Is my assumption correct? >>>> >>>> -Michael >>>> >>>> >>>> >>>>> On 13 Jun 2022, at 14:31, Michael Tremer <michael.tremer@ipfire.org> wrote: >>>>> >>>>> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> >>>>> >>>>>> On 11 Jun 2022, at 19:53, Peter Müller <peter.mueller@ipfire.org> wrote: >>>>>> >>>>>> See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for >>>>>> the upstream rationale. Enabling YAMA gives us the benefit of additional >>>>>> hardening options available, without any obvious downsides. >>>>>> >>>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>>>> --- >>>>>> config/kernel/kernel.config.aarch64-ipfire | 2 +- >>>>>> config/kernel/kernel.config.armv6l-ipfire | 2 +- >>>>>> config/kernel/kernel.config.riscv64-ipfire | 2 +- >>>>>> config/kernel/kernel.config.x86_64-ipfire | 2 +- >>>>>> 4 files changed, 4 insertions(+), 4 deletions(-) >>>>>> >>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire >>>>>> index 6dfeae595..7e63b77ca 100644 >>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire >>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>>>>> @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=y >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire >>>>>> index 1bb745a87..1b6440b11 100644 >>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire >>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>>>>> @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=y >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire >>>>>> index 2d1fdbd28..2d6bb3a2c 100644 >>>>>> --- a/config/kernel/kernel.config.riscv64-ipfire >>>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>>>>> @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=y >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>>>>> index b84698235..0efe14c41 100644 >>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>>>> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y >>>>>> # CONFIG_SECURITY_TOMOYO is not set >>>>>> # CONFIG_SECURITY_APPARMOR is not set >>>>>> # CONFIG_SECURITY_LOADPIN is not set >>>>>> -# CONFIG_SECURITY_YAMA is not set >>>>>> +CONFIG_SECURITY_YAMA=y >>>>>> # CONFIG_SECURITY_SAFESETID is not set >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM=y >>>>>> CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >>>>>> -- >>>>>> 2.35.3 >>>>> >>>> >>>>
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y