restrict access to ptrace
Originally created by Tails on #5999 (Redmine)
The Yama LSM "collects a number of system-wide DAC security protections that are not handled by the core kernel itself", including ptrace scope restrictions on which user/process can examine the memory and running state of other processes.
Yama is part of the mainline Linux kernel since 3.4 (and its link restrictions features merged into the core kernel, outside of the LSM, in 3.6).
Since Linux 3.7, the Yama LSM can be automatically stacked regardless of
which security module is the "primary" module, so it’s compatible
with using AppArmor some day (#5370 (closed)). One just has to keep their
apparmor=1 security=apparmor
kernel options, add none specific to
Yama, and both AppArmor and Yama will be enabled as a result
(successfully tested on Debian’s linux-image-3.7-trunk-amd64
3.7.8-1~experimental.1 recompiled with SECURITY_YAMA
and
SECURITY_YAMA_STACKED
enabled).
We probably can dare running in the stricter "2 - admin-only attach" mode, instead of the default "1 - restricted ptrace" one. It works fine on a Wheezy GNOME desktop, and should mostly break crash handlers that we don’t care about (we don’t really want to see Tails users send random stack traces to upstream developers).
- done Have the Debian 3.7+ kernel shipped with Yama built in. Asked as Debian bug #704750, applied, and 3.9.x has reached sid.
- done Tails 0.19 ships Linux 3.9 or later
- Enable Yama: 3.9.7-1 will disable it (pending for 0.19.1 and 0.20).