[Tails-dev] Bug#704750: src:linux: Please enable Yama LSM

Borrar esta mensaxe

Responder a esta mensaxe
Autor: intrigeri
Data:  
Para: Debian Bug Tracking System
Asunto: [Tails-dev] Bug#704750: src:linux: Please enable Yama LSM
Source: linux
Severity: wishlist
X-Debbugs-Cc: tails-dev@???

Hi,

TL;DR -> please enable enable SECURITY and SECURITY_YAMA_STACKED.

as the maintainers of the Debian Linux kernel surely know, the Yama
LSM "collects a number of system-wide DAC security protections that
are not handled by the core kernel itself", including ptrace scope
restrictions on which user/process can examine the memory and running
state of other processes.
Details can be found in Documentation/security/Yama.txt.

It was considered [1] for backporting in the Wheezy kernel, but did
not make it eventually. Yama is part of the mainline Linux kernel
since 3.4. Moreover, since Linux 3.7, the Yama LSM can be
automatically stacked regardless of which security module is the
"primary" module, so it's compatible with AppArmor.

[1] https://lists.debian.org/debian-kernel/2012/06/msg00074.html

I've been testing Yama, combined with AppArmor, on my main Wheezy
desktop system since February, compiling every kernel from Debian
experimental (starting with 3.7.8-1~experimental.1, until current
3.8.5-1~experimental.1) with the `SECURITY_YAMA` and
`SECURITY_YAMA_STACKED` options enabled. I've not noticed
any regression.

Regarding the ptrace_scope setting:

  * The default is "1" (restricted ptrace).
  * Ubuntu has been running with something equivalent to the default
    mode ("1") since 10.10, so most serious blockers should have been
    resolved hopefully.
  * I've been running it in the stricter "2 - admin-only attach" mode,
    instead of the default "1 - restricted ptrace" one, and did not
    notice any issue. However, this setting is supposed to break
    various crash handlers, so it's probably not an option for default
    Debian installations.


So, I suggest we keep the default value ("1") for Jessie.

The beginning of the Jessie development cycle seems like a good time
to bring such changes in, so I suggest Yama is enabled in our 3.8+
kernels once the kernel team is done with their last Wheezy-related
urgent tasks :)

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc