rpms/elfutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity
61e0d33b8a
elfutils/elfutils-0.163-default-yama-conf.patch
Mark Wielaard 61e0d33b8a 0.163-3 - Add elfutils-0.163-default-yama-conf.patch 
Provides: default-yama-scope
Resolves: #1250079
2015-08-04 15:31:22 +02:00

167 lines
6.2 KiB
Diff
Raw Blame History

commit 65a818baa4bcae96c1e9516420fcd87a2db3c863
Author: Mark Wielaard <mjw@redhat.com>
Date: Tue Aug 4 12:20:20 2015 +0200
spec: Provide default-yama-scope.
When yama is enabled in the kernel it might be used to filter any user
space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
to /proc/PID/{mem,personality,stack,syscall}, and the syscalls
process_vm_readv and process_vm_writev which are used for interprocess
services, communication and introspection (like synchronisation, signaling,
debugging, tracing and profiling) of processes.
These are precisely the things that libdw dwfl and ebl backends rely on.
So make sure they don't mysteriously fail in such cases by providing the
default yama scope sysctl value.
This is implemented as a separate subpackage that just provides this
functionality so other packages that don't directly rely on elfutils-libs
can also just Require: default-yama-scope to function properly.
https://bugzilla.redhat.com/show_bug.cgi?id=1209492#c69
Signed-off-by: Mark Wielaard <mjw@redhat.com>
diff --git a/config/10-default-yama-scope.conf b/config/10-default-yama-scope.conf
new file mode 100644
index 0000000..ba78ebd
--- /dev/null
+++ b/config/10-default-yama-scope.conf
@@ -0,0 +1,35 @@
+# When yama is enabled in the kernel it might be used to filter any user
+# space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
+# to /proc/PID/{mem,personality,stack,syscall}, and the syscalls
+# process_vm_readv and process_vm_writev which are used for interprocess
+# services, communication and introspection (like synchronisation, signaling,
+# debugging, tracing and profiling) of processes.
+#
+# Usage of ptrace attach is restricted by normal user permissions. Normal
+# unprivileged processes cannot interact through ptrace with processes
+# that they cannot send signals to or processes that are running set-uid
+# or set-gid.
+#
+# yama ptrace scope can be used to reduce these permissions even more.
+# This should normally not be done because it will break various programs
+# relying on the default ptrace security restrictions. But can be used
+# if you don't have any other way to separate processes in their own
+# domains. A different way to restrict ptrace is to set the selinux
+# deny_ptrace boolean. Both mechanisms will break some programs relying
+# on the ptrace system call and might force users to elevate their
+# priviliges to root to do their work.
+#
+# For more information see Documentation/security/Yama.txt in the kernel
+# sources. Which also describes the defaults when CONFIG_SECURITY_YAMA
+# is enabled in a kernel build (currently 1 for ptrace_scope).
+#
+# This runtime kernel parameter can be set to the following options:
+# (Note that setting this to anything except zero will break programs!)
+#
+# 0 - Default attach security permissions.
+# 1 - Restricted attach. Only child processes plus normal permissions.
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
+#
+kernel.yama.ptrace_scope = 0
+
diff --git a/config/ChangeLog b/config/ChangeLog
index 00f3ddc..31eeca7 100644
--- a/config/ChangeLog
+++ b/config/ChangeLog
@@ -1,3 +1,10 @@
+2015-08-04 Mark Wielaard <mjw@redhat.com>
+
+ * 10-default-yama-scope.conf: New file.
+ * Makefile.am (EXTRA_DIST): Add 10-default-yama-scope.conf.
+ * elfutils.spec.in (Requires): default-yama-scope.
+ (default-yama-scope): New package.
+
2015-06-19 Mark Wielaard <mjw@redhat.com>
* elfutils.spec.in: Update for 0.163.
diff --git a/config/Makefile.am b/config/Makefile.am
index 6e61b77..23f7b65 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -1,7 +1,7 @@
## Process this file with automake to produce Makefile.in -*-Makefile-*-
## Configure input file for elfutils.
##
-## Copyright (C) 2004, 2005, 2008, 2009, 2011 Red Hat, Inc.
+## Copyright (C) 2004, 2005, 2008, 2009, 2011, 2015 Red Hat, Inc.
## This file is part of elfutils.
##
## This file is free software; you can redistribute it and/or modify
@@ -28,7 +28,7 @@
## the GNU Lesser General Public License along with this program. If
## not, see <http://www.gnu.org/licenses/>.
##
-EXTRA_DIST = elfutils.spec.in known-dwarf.awk
+EXTRA_DIST = elfutils.spec.in known-dwarf.awk 10-default-yama-scope.conf
if MAINTAINER_MODE
$(srcdir)/elfutils.spec.in: $(top_srcdir)/NEWS
diff --git a/config/elfutils.spec.in b/config/elfutils.spec.in
index 5407f1a..e5f6e29 100644
--- a/config/elfutils.spec.in
+++ b/config/elfutils.spec.in
@@ -10,6 +10,7 @@ Obsoletes: libelf libelf-devel
Requires: elfutils-libelf = %{version}-%{release}
Requires: glibc >= 2.7
Requires: libstdc++
+Requires: default-yama-scope
# ExcludeArch: xxx
@@ -97,6 +98,22 @@ Conflicts: libelf-devel
The elfutils-libelf-static package contains the static archive
for libelf.
+%package default-yama-scope
+Summary: Default yama attach scope sysctl setting
+Group: Development/Tools
+License: GPLv2+ or LGPLv3+
+Provides: default-yama-scope
+BuildArch: noarch
+
+%description default-yama-scope
+Yama sysctl setting to enable default attach scope settings
+enabling programs to use ptrace attach, access to
+/proc/PID/{mem,personality,stack,syscall}, and the syscalls
+process_vm_readv and process_vm_writev which are used for
+interprocess services, communication and introspection
+(like synchronisation, signaling, debugging, tracing and
+profiling) of processes.
+
%prep
%setup -q
@@ -121,6 +138,8 @@ chmod +x ${RPM_BUILD_ROOT}%{_prefix}/%{_lib}/elfutils/lib*.so*
rm -f .%{_libdir}/libasm.a
}
+install -Dm0644 config/10-default-yama-scope.conf ${RPM_BUILD_ROOT}%{_sysctldir}/10-default-yama-scope.conf
+
%check
make check
@@ -135,6 +154,9 @@ rm -rf ${RPM_BUILD_ROOT}
%postun libelf -p /sbin/ldconfig
+%post default-yama-scope
+%sysctl_apply 10-default-yama-scope.conf
+
%files
%defattr(-,root,root)
%doc COPYING COPYING-GPLV2 COPYING-LGPLV3 README TODO CONTRIBUTING
@@ -197,6 +219,9 @@ rm -rf ${RPM_BUILD_ROOT}
%files libelf-devel-static
%{_libdir}/libelf.a
+%files default-yama-scope
+%config(noreplace) %{_sysctldir}/10-default-yama-scope.conf
+
%changelog
* Fri Jun 19 2015 Mark Wielaard <mark@gmail.com> 0.163-1
- Bug fixes only, no new features.
Reference in New Issue View Git Blame Copy Permalink