Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/admin-guide/LSM/Yama.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) ====
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) Yama
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) ====
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) Yama is a Linux Security Module that collects system-wide DAC security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) protections that are not handled by the core kernel itself. This is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) selectable at build-time with ``CONFIG_SECURITY_YAMA``, and can be controlled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) at run-time through sysctls in ``/proc/sys/kernel/yama``:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) ptrace_scope
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) ============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) As Linux grows in popularity, it will become a larger target for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) malware. One particularly troubling weakness of the Linux process
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) interfaces is that a single user is able to examine the memory and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) running state of any of their processes. For example, if one application
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) (e.g. Pidgin) was compromised, it would be possible for an attacker to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) etc) to extract additional credentials and continue to expand the scope
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) of their attack without resorting to user-assisted phishing.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) This is not a theoretical problem. `SSH session hijacking
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) <https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf>`_
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) and `arbitrary code injection
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) <https://c-skills.blogspot.com/2007/05/injectso.html>`_ attacks already
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) exist and remain possible if ptrace is allowed to operate as before.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) Since ptrace is not commonly used by non-developers and non-admins, system
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) builders should be allowed the option to disable this debugging system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) For a solution, some applications use ``prctl(PR_SET_DUMPABLE, ...)`` to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) specifically disallow such ptrace attachment (e.g. ssh-agent), but many
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) do not. A more general solution is to only allow ptrace directly from a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) work), or with ``CAP_SYS_PTRACE`` (i.e. "gdb --pid=PID", and "strace -p PID"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) still work as root).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) In mode 1, software that has defined application-specific relationships
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) between a debugging process and its inferior (crash handlers, etc),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) ``prctl(PR_SET_PTRACER, pid, ...)`` can be used. An inferior can declare which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) other process (and its descendants) are allowed to call ``PTRACE_ATTACH``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) against it. Only one such declared debugging process can exists for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) each inferior at a time. For example, this is used by KDE, Chromium, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) Firefox's crash handlers, and by Wine for allowing only Wine processes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) to ptrace each other. If a process wishes to entirely disable these ptrace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) restrictions, it can call ``prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...)``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) so that any otherwise allowed process (even those in external pid namespaces)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) may attach.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) The sysctl settings (writable only with ``CAP_SYS_PTRACE``) are:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) 0 - classic ptrace permissions:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)     a process can ``PTRACE_ATTACH`` to any other
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)     process running under the same uid, as long as it is dumpable (i.e.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54)     did not transition uids, start privileged, or have called
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55)     ``prctl(PR_SET_DUMPABLE...)`` already). Similarly, ``PTRACE_TRACEME`` is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56)     unchanged.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) 1 - restricted ptrace:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59)     a process must have a predefined relationship
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)     with the inferior it wants to call ``PTRACE_ATTACH`` on. By default,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)     this relationship is that of only its descendants when the above
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)     classic criteria is also met. To change the relationship, an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)     inferior can call ``prctl(PR_SET_PTRACER, debugger, ...)`` to declare
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)     an allowed debugger PID to call ``PTRACE_ATTACH`` on the inferior.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)     Using ``PTRACE_TRACEME`` is unchanged.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) 2 - admin-only attach:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)     only processes with ``CAP_SYS_PTRACE`` may use ptrace, either with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)     ``PTRACE_ATTACH`` or through children calling ``PTRACE_TRACEME``.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) 3 - no attach:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)     no processes may use ptrace with ``PTRACE_ATTACH`` nor via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)     ``PTRACE_TRACEME``. Once set, this sysctl value cannot be changed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) The original children-only logic was based on the restrictions in grsecurity.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.