[Bug 1226460] New: AUDIT-0: aaa_base: sysctl.d/52-yama.conf
https://bugzilla.suse.com/show_bug.cgi?id=1226460 Bug ID: 1226460 Summary: AUDIT-0: aaa_base: sysctl.d/52-yama.conf Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: kukuk@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- As discussed in several threads, to make it easier for developers to enable ptrace again for development, aaa_base has a new sub-package with a sysctl.d file for this: aaa_base-yama-enable-ptrace /usr/lib/sysctl.d/52-yama.conf -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226460 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ro@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226460 https://bugzilla.suse.com/show_bug.cgi?id=1226460#c1 --- Comment #1 from Matthias Gerstner <matthias.gerstner@suse.com> --- Thank you for creating the AUDIT bug. We will schedule the review and whitelisting. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226460 https://bugzilla.suse.com/show_bug.cgi?id=1226460#c2 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |matthias.gerstner@suse.com CC| |security-team@suse.de Status|NEW |IN_PROGRESS --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- I'll handle this together with bug 1226464 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226460 https://bugzilla.suse.com/show_bug.cgi?id=1226460#c3 --- Comment #3 from Matthias Gerstner <matthias.gerstner@suse.com> --- Adding the sub-package for opting out of this is all right, but the way the change has been implemented seems wrong to me. The file /usr/lib/sysctl.d/52-yama.conf has been removed from the aaa_base main package, and now it is packaged in the aaa_base-yama-enable-ptrace sub-package instead. It's content changed as follows: -# legitimate usecases. --kernel.yama.ptrace_scope = 1 +# legitimate usecases, such as calling strace or gdb on other processes. +-kernel.yama.ptrace_scope = 0 This means the ptrace limitation is removed completely, and installing the sub-package doesn't do anything at all anymore. I'd say what is needed here is an additional sysctl.d drop-in file with higher priority like 53-yama-dev.conf, packaged in the new sub-package, while the previous version of 52-yama.conf, which sets ptrace_scope = 1, needs to stay in the main package. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226460 https://bugzilla.suse.com/show_bug.cgi?id=1226460#c4 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: aaa_base: |AUDIT-WHITELIST: aaa_base: |sysctl.d/52-yama.conf |sysctl.d/52-yama.conf --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- It seems to be all right after all. The default setting of the YAMA security module for ptrace_scope is 1, and always has been. Thus dropping the sysctl file from aaa_base is okay, and only installing the new sub-package will change the scope to 0. This detail was not clear to me from looking at the commit that changed this. I will initiate the process for adjusting the whitelistings. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226460 https://bugzilla.suse.com/show_bug.cgi?id=1226460#c6 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #6 from Matthias Gerstner <matthias.gerstner@suse.com> --- the whitelisting is now in Factory, closing as fixed -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com