[opensuse-kernel] enable Yama LSM
Please add Yama LSM support to openSUSE Tumbleweed kernels. From all major distributions, only SUSE ships kernels with Yama disabled at compile time. Debian and CentOS do support it but pref it off, Ubuntu enables it by default already since 10.10 Maverick Meerkat. I understand and appreciate the conservative approach taken by SUSE in the early years, but please note that Yama landed in mainline almost a decade ago. From an administrators perspective, this is looking increasingly battle tested. In case Yama is still deemed not fit for SUSE kernels, would you mind sharing your reservations with us? Thanks and best regards Ed -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On 2/28/2019 1:34 PM, Detlef Eppers wrote:
Please add Yama LSM support to openSUSE Tumbleweed kernels.
---- What is yama? I don't recall seeing it as a kernel configuration option. and I just just tumbleweed and don't see a package named yama anything. Sorry for being under-informed. Thanks! -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
What is yama? I don't recall seeing it as a kernel configuration option. and I just just tumbleweed and don't see a package named yama anything.
Yama is a relatively small security module (LSM). It is enabled by CONFIG_SECURITY_YAMA and adds restrictions to how programs can use the ptrace syscall. These restrictions can be managed at runtime with a sysctl knob: https://www.kernel.org/doc/Documentation/security/Yama.txt The highest setting (ptrace_scope=3) will be interesting mainly for servers and other locked down systems. In the lowest setting (ptrace_scope=1), usability issues are extremely rare. This is Ubuntu's default since 2010.
Sorry for being under-informed.
I left out essential information, sorry for this.
Thanks! -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
participants (2)
-
Detlef Eppers -
L A Walsh