teknoraver / rpms / systemd

Forked from rpms/systemd 3 months ago
Clone

Blame 20-yama-ptrace.conf

Zbigniew Jędrzejewski-Szmek 90aeee
# The ptrace system call is used for interprocess services,
Zbigniew Jędrzejewski-Szmek 90aeee
# communication and introspection (like synchronisation, signaling,
Zbigniew Jędrzejewski-Szmek 90aeee
# debugging, tracing and profiling) of processes.
Zbigniew Jędrzejewski-Szmek 90aeee
#
Zbigniew Jędrzejewski-Szmek 90aeee
# Usage of ptrace is restricted by normal user permissions. Normal
Zbigniew Jędrzejewski-Szmek 90aeee
# unprivileged processes cannot use ptrace on processes that they
Zbigniew Jędrzejewski-Szmek 90aeee
# cannot send signals to or processes that are running set-uid or
Zbigniew Jędrzejewski-Szmek 90aeee
# set-gid. Nevertheless, processes running under the same uid will
Zbigniew Jędrzejewski-Szmek 90aeee
# usually be able to ptrace one another.
Zbigniew Jędrzejewski-Szmek 90aeee
#
Zbigniew Jędrzejewski-Szmek 90aeee
# Fedora enables the Yama security mechanism which restricts ptrace
Zbigniew Jędrzejewski-Szmek 90aeee
# even further. Sysctl setting kernel.yama.ptrace_scope can have one
Zbigniew Jędrzejewski-Szmek 90aeee
# of the following values:
Zbigniew Jędrzejewski-Szmek 90aeee
#
Zbigniew Jędrzejewski-Szmek 90aeee
# 0 - Normal ptrace security permissions.
Zbigniew Jędrzejewski-Szmek 90aeee
# 1 - Restricted ptrace. Only child processes plus normal permissions.
Zbigniew Jędrzejewski-Szmek 90aeee
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
Zbigniew Jędrzejewski-Szmek 90aeee
# 3 - No attach. No process may call ptrace at all. Irrevocable.
Zbigniew Jędrzejewski-Szmek 90aeee
#
Zbigniew Jędrzejewski-Szmek 90aeee
# For more information see Documentation/security/Yama.txt in the
Zbigniew Jędrzejewski-Szmek 90aeee
# kernel sources.
Zbigniew Jędrzejewski-Szmek 90aeee
#
Zbigniew Jędrzejewski-Szmek 90aeee
# The default is 1., which allows tracing of child processes, but
Zbigniew Jędrzejewski-Szmek 90aeee
# forbids tracing of arbitrary processes. This allows programs like
Zbigniew Jędrzejewski-Szmek 90aeee
# gdb or strace to work when the most common way of having the
Zbigniew Jędrzejewski-Szmek 90aeee
# debugger start the debuggee is used:
Zbigniew Jędrzejewski-Szmek 90aeee
#    gdb /path/to/program ...
Zbigniew Jędrzejewski-Szmek 90aeee
# Attaching to already running programs is NOT allowed:
Zbigniew Jędrzejewski-Szmek 90aeee
#    gdb -p ...
Zbigniew Jędrzejewski-Szmek 90aeee
# This default setting is suitable for the common case, because it
Zbigniew Jędrzejewski-Szmek 90aeee
# reduces the risk that one hacked process can be used to attack other
Zbigniew Jędrzejewski-Szmek 90aeee
# processes. (For example, a hacked firefox process in a user session
Zbigniew Jędrzejewski-Szmek 90aeee
# will not be able to ptrace the keyring process and extract passwords
Zbigniew Jędrzejewski-Szmek 90aeee
# stored only in memory.)
Zbigniew Jędrzejewski-Szmek 90aeee
#
Zbigniew Jędrzejewski-Szmek 90aeee
# Developers and administrators might want to disable those protections
Zbigniew Jędrzejewski-Szmek 90aeee
# to be able to attach debuggers to existing processes. Use
Zbigniew Jędrzejewski-Szmek 90aeee
#   sysctl kernel.yama.ptrace_scope=0
Zbigniew Jędrzejewski-Szmek 90aeee
# for change the setting temporarily, or copy this file to
Zbigniew Jędrzejewski-Szmek 90aeee
# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots.
Zbigniew Jędrzejewski-Szmek 90aeee
Zbigniew Jędrzejewski-Szmek 90aeee
kernel.yama.ptrace_scope = 0