Add example file with yama config

This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2015-06-27 14:00:14 -04:00
parent 9a11c6baf7
commit 90aeeef683
2 changed files with 48 additions and 0 deletions

42
20-yama-ptrace.conf Normal file
View File

@ -0,0 +1,42 @@
# The ptrace system call is used for interprocess services,
# communication and introspection (like synchronisation, signaling,
# debugging, tracing and profiling) of processes.
#
# Usage of ptrace is restricted by normal user permissions. Normal
# unprivileged processes cannot use ptrace on processes that they
# cannot send signals to or processes that are running set-uid or
# set-gid. Nevertheless, processes running under the same uid will
# usually be able to ptrace one another.
#
# Fedora enables the Yama security mechanism which restricts ptrace
# even further. Sysctl setting kernel.yama.ptrace_scope can have one
# of the following values:
#
# 0 - Normal ptrace security permissions.
# 1 - Restricted ptrace. Only child processes plus normal permissions.
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
# 3 - No attach. No process may call ptrace at all. Irrevocable.
#
# For more information see Documentation/security/Yama.txt in the
# kernel sources.
#
# The default is 1., which allows tracing of child processes, but
# forbids tracing of arbitrary processes. This allows programs like
# gdb or strace to work when the most common way of having the
# debugger start the debuggee is used:
# gdb /path/to/program ...
# Attaching to already running programs is NOT allowed:
# gdb -p ...
# This default setting is suitable for the common case, because it
# reduces the risk that one hacked process can be used to attack other
# processes. (For example, a hacked firefox process in a user session
# will not be able to ptrace the keyring process and extract passwords
# stored only in memory.)
#
# Developers and administrators might want to disable those protections
# to be able to attach debuggers to existing processes. Use
# sysctl kernel.yama.ptrace_scope=0
# for change the setting temporarily, or copy this file to
# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots.
kernel.yama.ptrace_scope = 0

View File

@ -34,6 +34,7 @@ Source5: inittab
Source6: sysctl.conf.README
Source7: systemd-journal-remote.xml
Source8: systemd-journal-gatewayd.xml
Source9: 20-yama-ptrace.conf
# temporary fix for broken kernel headers
Source99: in.h
@ -384,6 +385,10 @@ mkdir -vp %{buildroot}/usr/lib/firewalld/services/
install -Dm0644 %{SOURCE7} %{buildroot}/usr/lib/firewalld/services/
install -Dm0644 %{SOURCE8} %{buildroot}/usr/lib/firewalld/services/
# Install additional docs
# https://bugzilla.redhat.com/show_bug.cgi?id=1234951
install -Dm0644 %{SOURCE9} %{buildroot}%{_pkgdocdir}/
%find_lang %{name}
%check
@ -553,6 +558,7 @@ getent passwd systemd-journal-upload >/dev/null 2>&1 || useradd -r -l -g systemd
%files -f %{name}.lang
%doc %{_pkgdocdir}
%{_pkgdocdir}/20-yama-ptrace.conf
%exclude %{_pkgdocdir}/LICENSE.*
%license LICENSE.GPL2 LICENSE.LGPL2.1
%dir %{_sysconfdir}/systemd