diff options
| -rw-r--r-- | config/10-default-yama-scope.conf | 35 | ||||
| -rw-r--r-- | config/ChangeLog | 7 | ||||
| -rw-r--r-- | config/Makefile.am | 4 | ||||
| -rw-r--r-- | config/elfutils.spec.in | 25 |
4 files changed, 69 insertions, 2 deletions
diff --git a/config/10-default-yama-scope.conf b/config/10-default-yama-scope.conf new file mode 100644 index 00000000..ba78ebd5 --- /dev/null +++ b/config/10-default-yama-scope.conf @@ -0,0 +1,35 @@ +# When yama is enabled in the kernel it might be used to filter any user +# space access which requires PTRACE_MODE_ATTACH like ptrace attach, access +# to /proc/PID/{mem,personality,stack,syscall}, and the syscalls +# process_vm_readv and process_vm_writev which are used for interprocess +# services, communication and introspection (like synchronisation, signaling, +# debugging, tracing and profiling) of processes. +# +# Usage of ptrace attach is restricted by normal user permissions. Normal +# unprivileged processes cannot interact through ptrace with processes +# that they cannot send signals to or processes that are running set-uid +# or set-gid. +# +# yama ptrace scope can be used to reduce these permissions even more. +# This should normally not be done because it will break various programs +# relying on the default ptrace security restrictions. But can be used +# if you don't have any other way to separate processes in their own +# domains. A different way to restrict ptrace is to set the selinux +# deny_ptrace boolean. Both mechanisms will break some programs relying +# on the ptrace system call and might force users to elevate their +# priviliges to root to do their work. +# +# For more information see Documentation/security/Yama.txt in the kernel +# sources. Which also describes the defaults when CONFIG_SECURITY_YAMA +# is enabled in a kernel build (currently 1 for ptrace_scope). +# +# This runtime kernel parameter can be set to the following options: +# (Note that setting this to anything except zero will break programs!) +# +# 0 - Default attach security permissions. +# 1 - Restricted attach. Only child processes plus normal permissions. +# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. +# 3 - No attach. No process may call ptrace at all. Irrevocable. +# +kernel.yama.ptrace_scope = 0 + diff --git a/config/ChangeLog b/config/ChangeLog index 00f3ddc4..31eeca7a 100644 --- a/config/ChangeLog +++ b/config/ChangeLog @@ -1,3 +1,10 @@ +2015-08-04 Mark Wielaard <[email protected]> + + * 10-default-yama-scope.conf: New file. + * Makefile.am (EXTRA_DIST): Add 10-default-yama-scope.conf. + * elfutils.spec.in (Requires): default-yama-scope. + (default-yama-scope): New package. + 2015-06-19 Mark Wielaard <[email protected]> * elfutils.spec.in: Update for 0.163. diff --git a/config/Makefile.am b/config/Makefile.am index 6e61b778..23f7b655 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -1,7 +1,7 @@ ## Process this file with automake to produce Makefile.in -*-Makefile-*- ## Configure input file for elfutils. ## -## Copyright (C) 2004, 2005, 2008, 2009, 2011 Red Hat, Inc. +## Copyright (C) 2004, 2005, 2008, 2009, 2011, 2015 Red Hat, Inc. ## This file is part of elfutils. ## ## This file is free software; you can redistribute it and/or modify @@ -28,7 +28,7 @@ ## the GNU Lesser General Public License along with this program. If ## not, see <http://www.gnu.org/licenses/>. ## -EXTRA_DIST = elfutils.spec.in known-dwarf.awk +EXTRA_DIST = elfutils.spec.in known-dwarf.awk 10-default-yama-scope.conf if MAINTAINER_MODE $(srcdir)/elfutils.spec.in: $(top_srcdir)/NEWS diff --git a/config/elfutils.spec.in b/config/elfutils.spec.in index 5407f1ab..e5f6e29c 100644 --- a/config/elfutils.spec.in +++ b/config/elfutils.spec.in @@ -10,6 +10,7 @@ Obsoletes: libelf libelf-devel Requires: elfutils-libelf = %{version}-%{release} Requires: glibc >= 2.7 Requires: libstdc++ +Requires: default-yama-scope # ExcludeArch: xxx @@ -97,6 +98,22 @@ Conflicts: libelf-devel The elfutils-libelf-static package contains the static archive for libelf. +%package default-yama-scope +Summary: Default yama attach scope sysctl setting +Group: Development/Tools +License: GPLv2+ or LGPLv3+ +Provides: default-yama-scope +BuildArch: noarch + +%description default-yama-scope +Yama sysctl setting to enable default attach scope settings +enabling programs to use ptrace attach, access to +/proc/PID/{mem,personality,stack,syscall}, and the syscalls +process_vm_readv and process_vm_writev which are used for +interprocess services, communication and introspection +(like synchronisation, signaling, debugging, tracing and +profiling) of processes. + %prep %setup -q @@ -121,6 +138,8 @@ chmod +x ${RPM_BUILD_ROOT}%{_prefix}/%{_lib}/elfutils/lib*.so* rm -f .%{_libdir}/libasm.a } +install -Dm0644 config/10-default-yama-scope.conf ${RPM_BUILD_ROOT}%{_sysctldir}/10-default-yama-scope.conf + %check make check @@ -135,6 +154,9 @@ rm -rf ${RPM_BUILD_ROOT} %postun libelf -p /sbin/ldconfig +%post default-yama-scope +%sysctl_apply 10-default-yama-scope.conf + %files %defattr(-,root,root) %doc COPYING COPYING-GPLV2 COPYING-LGPLV3 README TODO CONTRIBUTING @@ -197,6 +219,9 @@ rm -rf ${RPM_BUILD_ROOT} %files libelf-devel-static %{_libdir}/libelf.a +%files default-yama-scope +%config(noreplace) %{_sysctldir}/10-default-yama-scope.conf + %changelog * Fri Jun 19 2015 Mark Wielaard <[email protected]> 0.163-1 - Bug fixes only, no new features. |