From 90aeeef683cc21ad43162f1e45a08d335776825e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 27 Jun 2015 14:00:14 -0400 Subject: [PATCH] Add example file with yama config --- 20-yama-ptrace.conf | 42 ++++++++++++++++++++++++++++++++++++++++++ systemd.spec | 6 ++++++ 2 files changed, 48 insertions(+) create mode 100644 20-yama-ptrace.conf diff --git a/20-yama-ptrace.conf b/20-yama-ptrace.conf new file mode 100644 index 0000000..4fbaf97 --- /dev/null +++ b/20-yama-ptrace.conf @@ -0,0 +1,42 @@ +# The ptrace system call is used for interprocess services, +# communication and introspection (like synchronisation, signaling, +# debugging, tracing and profiling) of processes. +# +# Usage of ptrace is restricted by normal user permissions. Normal +# unprivileged processes cannot use ptrace on processes that they +# cannot send signals to or processes that are running set-uid or +# set-gid. Nevertheless, processes running under the same uid will +# usually be able to ptrace one another. +# +# Fedora enables the Yama security mechanism which restricts ptrace +# even further. Sysctl setting kernel.yama.ptrace_scope can have one +# of the following values: +# +# 0 - Normal ptrace security permissions. +# 1 - Restricted ptrace. Only child processes plus normal permissions. +# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. +# 3 - No attach. No process may call ptrace at all. Irrevocable. +# +# For more information see Documentation/security/Yama.txt in the +# kernel sources. +# +# The default is 1., which allows tracing of child processes, but +# forbids tracing of arbitrary processes. This allows programs like +# gdb or strace to work when the most common way of having the +# debugger start the debuggee is used: +# gdb /path/to/program ... +# Attaching to already running programs is NOT allowed: +# gdb -p ... +# This default setting is suitable for the common case, because it +# reduces the risk that one hacked process can be used to attack other +# processes. (For example, a hacked firefox process in a user session +# will not be able to ptrace the keyring process and extract passwords +# stored only in memory.) +# +# Developers and administrators might want to disable those protections +# to be able to attach debuggers to existing processes. Use +# sysctl kernel.yama.ptrace_scope=0 +# for change the setting temporarily, or copy this file to +# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots. + +kernel.yama.ptrace_scope = 0 diff --git a/systemd.spec b/systemd.spec index f5b3517..f5fd4b7 100644 --- a/systemd.spec +++ b/systemd.spec @@ -34,6 +34,7 @@ Source5: inittab Source6: sysctl.conf.README Source7: systemd-journal-remote.xml Source8: systemd-journal-gatewayd.xml +Source9: 20-yama-ptrace.conf # temporary fix for broken kernel headers Source99: in.h @@ -384,6 +385,10 @@ mkdir -vp %{buildroot}/usr/lib/firewalld/services/ install -Dm0644 %{SOURCE7} %{buildroot}/usr/lib/firewalld/services/ install -Dm0644 %{SOURCE8} %{buildroot}/usr/lib/firewalld/services/ +# Install additional docs +# https://bugzilla.redhat.com/show_bug.cgi?id=1234951 +install -Dm0644 %{SOURCE9} %{buildroot}%{_pkgdocdir}/ + %find_lang %{name} %check @@ -553,6 +558,7 @@ getent passwd systemd-journal-upload >/dev/null 2>&1 || useradd -r -l -g systemd %files -f %{name}.lang %doc %{_pkgdocdir} +%{_pkgdocdir}/20-yama-ptrace.conf %exclude %{_pkgdocdir}/LICENSE.* %license LICENSE.GPL2 LICENSE.LGPL2.1 %dir %{_sysconfdir}/systemd