rpms/elfutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

0.163-3 - Add elfutils-0.163-default-yama-conf.patch

Browse Source 
Provides: default-yama-scope
Resolves: #1250079
This commit is contained in:
Mark Wielaard 2015-08-04 14:27:51 +02:00
parent 73d5406ef3
commit 61e0d33b8a
2 changed files with 214 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
elfutils-0.163-default-yama-conf.patch Normal file
View File

@ -0,0 +1,166 @@
commit 65a818baa4bcae96c1e9516420fcd87a2db3c863
Author: Mark Wielaard <mjw@redhat.com>
Date: Tue Aug 4 12:20:20 2015 +0200
spec: Provide default-yama-scope.
When yama is enabled in the kernel it might be used to filter any user
space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
to /proc/PID/{mem,personality,stack,syscall}, and the syscalls
process_vm_readv and process_vm_writev which are used for interprocess
services, communication and introspection (like synchronisation, signaling,
debugging, tracing and profiling) of processes.
These are precisely the things that libdw dwfl and ebl backends rely on.
So make sure they don't mysteriously fail in such cases by providing the
default yama scope sysctl value.
This is implemented as a separate subpackage that just provides this
functionality so other packages that don't directly rely on elfutils-libs
can also just Require: default-yama-scope to function properly.
https://bugzilla.redhat.com/show_bug.cgi?id=1209492#c69
Signed-off-by: Mark Wielaard <mjw@redhat.com>
diff --git a/config/10-default-yama-scope.conf b/config/10-default-yama-scope.conf
new file mode 100644
index 0000000..ba78ebd
--- /dev/null
+++ b/config/10-default-yama-scope.conf
@@ -0,0 +1,35 @@
+# When yama is enabled in the kernel it might be used to filter any user
+# space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
+# to /proc/PID/{mem,personality,stack,syscall}, and the syscalls
+# process_vm_readv and process_vm_writev which are used for interprocess
+# services, communication and introspection (like synchronisation, signaling,
+# debugging, tracing and profiling) of processes.
+#
+# Usage of ptrace attach is restricted by normal user permissions. Normal
+# unprivileged processes cannot interact through ptrace with processes
+# that they cannot send signals to or processes that are running set-uid
+# or set-gid.
+#
+# yama ptrace scope can be used to reduce these permissions even more.
+# This should normally not be done because it will break various programs
+# relying on the default ptrace security restrictions. But can be used
+# if you don't have any other way to separate processes in their own
+# domains. A different way to restrict ptrace is to set the selinux
+# deny_ptrace boolean. Both mechanisms will break some programs relying
+# on the ptrace system call and might force users to elevate their
+# priviliges to root to do their work.
+#
+# For more information see Documentation/security/Yama.txt in the kernel
+# sources. Which also describes the defaults when CONFIG_SECURITY_YAMA
+# is enabled in a kernel build (currently 1 for ptrace_scope).
+#
+# This runtime kernel parameter can be set to the following options:
+# (Note that setting this to anything except zero will break programs!)
+#
+# 0 - Default attach security permissions.
+# 1 - Restricted attach. Only child processes plus normal permissions.
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
+#
+kernel.yama.ptrace_scope = 0
+
diff --git a/config/ChangeLog b/config/ChangeLog
index 00f3ddc..31eeca7 100644
--- a/config/ChangeLog
+++ b/config/ChangeLog
@@ -1,3 +1,10 @@
+2015-08-04 Mark Wielaard <mjw@redhat.com>
+
+ * 10-default-yama-scope.conf: New file.
+ * Makefile.am (EXTRA_DIST): Add 10-default-yama-scope.conf.
+ * elfutils.spec.in (Requires): default-yama-scope.
+ (default-yama-scope): New package.
+
2015-06-19 Mark Wielaard <mjw@redhat.com>
* elfutils.spec.in: Update for 0.163.
diff --git a/config/Makefile.am b/config/Makefile.am
index 6e61b77..23f7b65 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -1,7 +1,7 @@
## Process this file with automake to produce Makefile.in -*-Makefile-*-
## Configure input file for elfutils.
##
-## Copyright (C) 2004, 2005, 2008, 2009, 2011 Red Hat, Inc.
+## Copyright (C) 2004, 2005, 2008, 2009, 2011, 2015 Red Hat, Inc.
## This file is part of elfutils.
##
## This file is free software; you can redistribute it and/or modify
@@ -28,7 +28,7 @@
## the GNU Lesser General Public License along with this program. If
## not, see <http://www.gnu.org/licenses/>.
##
-EXTRA_DIST = elfutils.spec.in known-dwarf.awk
+EXTRA_DIST = elfutils.spec.in known-dwarf.awk 10-default-yama-scope.conf
if MAINTAINER_MODE
$(srcdir)/elfutils.spec.in: $(top_srcdir)/NEWS
diff --git a/config/elfutils.spec.in b/config/elfutils.spec.in
index 5407f1a..e5f6e29 100644
--- a/config/elfutils.spec.in
+++ b/config/elfutils.spec.in
@@ -10,6 +10,7 @@ Obsoletes: libelf libelf-devel
Requires: elfutils-libelf = %{version}-%{release}
Requires: glibc >= 2.7
Requires: libstdc++
+Requires: default-yama-scope
# ExcludeArch: xxx
@@ -97,6 +98,22 @@ Conflicts: libelf-devel
The elfutils-libelf-static package contains the static archive
for libelf.
+%package default-yama-scope
+Summary: Default yama attach scope sysctl setting
+Group: Development/Tools
+License: GPLv2+ or LGPLv3+
+Provides: default-yama-scope
+BuildArch: noarch
+
+%description default-yama-scope
+Yama sysctl setting to enable default attach scope settings
+enabling programs to use ptrace attach, access to
+/proc/PID/{mem,personality,stack,syscall}, and the syscalls
+process_vm_readv and process_vm_writev which are used for
+interprocess services, communication and introspection
+(like synchronisation, signaling, debugging, tracing and
+profiling) of processes.
+
%prep
%setup -q
@@ -121,6 +138,8 @@ chmod +x ${RPM_BUILD_ROOT}%{_prefix}/%{_lib}/elfutils/lib*.so*
rm -f .%{_libdir}/libasm.a
}
+install -Dm0644 config/10-default-yama-scope.conf ${RPM_BUILD_ROOT}%{_sysctldir}/10-default-yama-scope.conf
+
%check
make check
@@ -135,6 +154,9 @@ rm -rf ${RPM_BUILD_ROOT}
%postun libelf -p /sbin/ldconfig
+%post default-yama-scope
+%sysctl_apply 10-default-yama-scope.conf
+
%files
%defattr(-,root,root)
%doc COPYING COPYING-GPLV2 COPYING-LGPLV3 README TODO CONTRIBUTING
@@ -197,6 +219,9 @@ rm -rf ${RPM_BUILD_ROOT}
%files libelf-devel-static
%{_libdir}/libelf.a
+%files default-yama-scope
+%config(noreplace) %{_sysctldir}/10-default-yama-scope.conf
+
%changelog
* Fri Jun 19 2015 Mark Wielaard <mark@gmail.com> 0.163-1
- Bug fixes only, no new features.

49
elfutils.spec
View File

@ -1,7 +1,7 @@
Name: elfutils
Summary: A collection of utilities and DSOs to handle compiled objects
Version: 0.163
%global baserelease 2
%global baserelease 3
URL: https://fedorahosted.org/elfutils/
%global source_url http://fedorahosted.org/releases/e/l/elfutils/%{version}/
License: GPLv3+ and (GPLv2+ or LGPLv3+)
@ -18,6 +18,7 @@ Group: Development/Tools
%global separate_devel_static 1
%global use_zlib 0
%global use_xz 0
%global provide_yama_scope 0
%if 0%{?rhel}
%global portability (%rhel < 6)
@ -32,6 +33,7 @@ Group: Development/Tools
%global separate_devel_static (%fedora >= 7)
%global use_zlib (%fedora >= 5)
%global use_xz (%fedora >= 10)
%global provide_yama_scope (%fedora >= 22)
%endif
%if %{compat} || %{!?rhel:6}%{?rhel} < 6
@ -48,6 +50,8 @@ Patch1: %{?source_url}elfutils-portability-%{version}.patch
Patch2: elfutils-0.163-unstrip-shf_info_link.patch
Patch3: elfutils-0.163-default-yama-conf.patch
%if !%{compat}
Release: %{baserelease}%{?dist}
%else
@ -99,6 +103,9 @@ License: GPLv2+ or LGPLv3+
Provides: elfutils-libs%{depsuffix} = %{version}-%{release}
%endif
Requires: elfutils-libelf%{depsuffix} = %{version}-%{release}
%if %{provide_yama_scope}
Requires: default-yama-scope
%endif
%description libs
The elfutils-libs package contains libraries which implement DWARF, ELF,
@ -187,6 +194,26 @@ Requires: elfutils-libelf-devel%{depsuffix} = %{version}-%{release}
The elfutils-libelf-static package contains the static archive
for libelf.
%if %{provide_yama_scope}
%package default-yama-scope
Summary: Default yama attach scope sysctl setting
Group: Development/Tools
License: GPLv2+ or LGPLv3+
Provides: default-yama-scope
BuildArch: noarch
# For the sysctl_apply macro
BuildRequires: systemd >= 215
%description default-yama-scope
Yama sysctl setting to enable default attach scope settings
enabling programs to use ptrace attach, access to
/proc/PID/{mem,personality,stack,syscall}, and the syscalls
process_vm_readv and process_vm_writev which are used for
interprocess services, communication and introspection
(like synchronisation, signaling, debugging, tracing and
profiling) of processes.
%endif
%prep
%setup -q
@ -208,6 +235,7 @@ sed -i.scanf-m -e 's/%m/%a/g' src/addr2line.c tests/line2addr.c
%endif
%patch2 -p1 -b .shf_info_link
%patch3 -p1 -b .yama_scope
find . -name \*.sh ! -perm -0100 -print | xargs chmod +x
@ -250,6 +278,10 @@ chmod +x ${RPM_BUILD_ROOT}%{_prefix}/%{_lib}/elfutils/lib*.so*
%find_lang %{name}
%if %{provide_yama_scope}
install -Dm0644 config/10-default-yama-scope.conf ${RPM_BUILD_ROOT}%{_sysctldir}/10-default-yama-scope.conf
%endif
%check
make -s %{?_smp_mflags} check || (cat tests/test-suite.log; %{nocheck})
@ -264,6 +296,11 @@ rm -rf ${RPM_BUILD_ROOT}
%postun libelf -p /sbin/ldconfig
%if %{provide_yama_scope}
%post default-yama-scope
%sysctl_apply 10-default-yama-scope.conf
%endif
%files
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
@ -336,7 +373,17 @@ rm -rf ${RPM_BUILD_ROOT}
%defattr(-,root,root)
%{_libdir}/libelf.a
%if %{provide_yama_scope}
%files default-yama-scope
%defattr(-,root,root)
%config(noreplace) %{_sysctldir}/10-default-yama-scope.conf
%endif
%changelog
* Tue Aug 04 2015 Mark Wielaard <mjw@redhat.com> - 0.163-3
- Add elfutils-0.163-default-yama-conf.patch (#1250079)
Provides: default-yama-scope
* Mon Aug 03 2015 Mark Wielaard <mjw@redhat.com> - 0.163-2
- Add elfutils-0.163-unstrip-shf_info_link.patch