Mark Wielaard 61e0d33
commit 65a818baa4bcae96c1e9516420fcd87a2db3c863
Mark Wielaard 61e0d33
Author: Mark Wielaard <mjw@redhat.com>
Mark Wielaard 61e0d33
Date:   Tue Aug 4 12:20:20 2015 +0200
Mark Wielaard 61e0d33
Mark Wielaard 61e0d33
    spec: Provide default-yama-scope.
Mark Wielaard 61e0d33
    
Mark Wielaard 61e0d33
    When yama is enabled in the kernel it might be used to filter any user
Mark Wielaard 61e0d33
    space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
Mark Wielaard 61e0d33
    to /proc/PID/{mem,personality,stack,syscall}, and the syscalls
Mark Wielaard 61e0d33
    process_vm_readv and process_vm_writev which are used for interprocess
Mark Wielaard 61e0d33
    services, communication and introspection (like synchronisation, signaling,
Mark Wielaard 61e0d33
    debugging, tracing and profiling) of processes.
Mark Wielaard 61e0d33
    
Mark Wielaard 61e0d33
    These are precisely the things that libdw dwfl and ebl backends rely on.
Mark Wielaard 61e0d33
    So make sure they don't mysteriously fail in such cases by providing the
Mark Wielaard 61e0d33
    default yama scope sysctl value.
Mark Wielaard 61e0d33
    
Mark Wielaard 61e0d33
    This is implemented as a separate subpackage that just provides this
Mark Wielaard 61e0d33
    functionality so other packages that don't directly rely on elfutils-libs
Mark Wielaard 61e0d33
    can also just Require: default-yama-scope to function properly.
Mark Wielaard 61e0d33
    https://bugzilla.redhat.com/show_bug.cgi?id=1209492#c69
Mark Wielaard 61e0d33
    
Mark Wielaard 61e0d33
    Signed-off-by: Mark Wielaard <mjw@redhat.com>
Mark Wielaard 61e0d33
Mark Wielaard 61e0d33
diff --git a/config/10-default-yama-scope.conf b/config/10-default-yama-scope.conf
Mark Wielaard 61e0d33
new file mode 100644
Mark Wielaard 61e0d33
index 0000000..ba78ebd
Mark Wielaard 61e0d33
--- /dev/null
Mark Wielaard 61e0d33
+++ b/config/10-default-yama-scope.conf
Mark Wielaard 61e0d33
@@ -0,0 +1,35 @@
Mark Wielaard 61e0d33
+# When yama is enabled in the kernel it might be used to filter any user
Mark Wielaard 61e0d33
+# space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
Mark Wielaard 61e0d33
+# to /proc/PID/{mem,personality,stack,syscall}, and the syscalls
Mark Wielaard 61e0d33
+# process_vm_readv and process_vm_writev which are used for interprocess
Mark Wielaard 61e0d33
+# services, communication and introspection (like synchronisation, signaling,
Mark Wielaard 61e0d33
+# debugging, tracing and profiling) of processes.
Mark Wielaard 61e0d33
+#
Mark Wielaard 61e0d33
+# Usage of ptrace attach is restricted by normal user permissions. Normal
Mark Wielaard 61e0d33
+# unprivileged processes cannot interact through ptrace with processes
Mark Wielaard 61e0d33
+# that they cannot send signals to or processes that are running set-uid
Mark Wielaard 61e0d33
+# or set-gid.
Mark Wielaard 61e0d33
+#
Mark Wielaard 61e0d33
+# yama ptrace scope can be used to reduce these permissions even more.
Mark Wielaard 61e0d33
+# This should normally not be done because it will break various programs
Mark Wielaard 61e0d33
+# relying on the default ptrace security restrictions. But can be used
Mark Wielaard 61e0d33
+# if you don't have any other way to separate processes in their own
Mark Wielaard 61e0d33
+# domains. A different way to restrict ptrace is to set the selinux
Mark Wielaard 61e0d33
+# deny_ptrace boolean. Both mechanisms will break some programs relying
Mark Wielaard 61e0d33
+# on the ptrace system call and might force users to elevate their
Mark Wielaard 61e0d33
+# priviliges to root to do their work.
Mark Wielaard 61e0d33
+#
Mark Wielaard 61e0d33
+# For more information see Documentation/security/Yama.txt in the kernel
Mark Wielaard 61e0d33
+# sources. Which also describes the defaults when CONFIG_SECURITY_YAMA
Mark Wielaard 61e0d33
+# is enabled in a kernel build (currently 1 for ptrace_scope).
Mark Wielaard 61e0d33
+#
Mark Wielaard 61e0d33
+# This runtime kernel parameter can be set to the following options:
Mark Wielaard 61e0d33
+# (Note that setting this to anything except zero will break programs!)
Mark Wielaard 61e0d33
+#
Mark Wielaard 61e0d33
+# 0 - Default attach security permissions.
Mark Wielaard 61e0d33
+# 1 - Restricted attach. Only child processes plus normal permissions.
Mark Wielaard 61e0d33
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
Mark Wielaard 61e0d33
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
Mark Wielaard 61e0d33
+#
Mark Wielaard 61e0d33
+kernel.yama.ptrace_scope = 0
Mark Wielaard 61e0d33
+
Mark Wielaard 61e0d33
diff --git a/config/ChangeLog b/config/ChangeLog
Mark Wielaard 61e0d33
index 00f3ddc..31eeca7 100644
Mark Wielaard 61e0d33
--- a/config/ChangeLog
Mark Wielaard 61e0d33
+++ b/config/ChangeLog
Mark Wielaard 61e0d33
@@ -1,3 +1,10 @@
Mark Wielaard 61e0d33
+2015-08-04  Mark Wielaard  <mjw@redhat.com>
Mark Wielaard 61e0d33
+
Mark Wielaard 61e0d33
+	* 10-default-yama-scope.conf: New file.
Mark Wielaard 61e0d33
+	* Makefile.am (EXTRA_DIST): Add 10-default-yama-scope.conf.
Mark Wielaard 61e0d33
+	* elfutils.spec.in (Requires): default-yama-scope.
Mark Wielaard 61e0d33
+	(default-yama-scope): New package.
Mark Wielaard 61e0d33
+
Mark Wielaard 61e0d33
 2015-06-19  Mark Wielaard  <mjw@redhat.com>
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
 	* elfutils.spec.in: Update for 0.163.
Mark Wielaard 61e0d33
diff --git a/config/Makefile.am b/config/Makefile.am
Mark Wielaard 61e0d33
index 6e61b77..23f7b65 100644
Mark Wielaard 61e0d33
--- a/config/Makefile.am
Mark Wielaard 61e0d33
+++ b/config/Makefile.am
Mark Wielaard 61e0d33
@@ -1,7 +1,7 @@
Mark Wielaard 61e0d33
 ## Process this file with automake to produce Makefile.in -*-Makefile-*-
Mark Wielaard 61e0d33
 ## Configure input file for elfutils.
Mark Wielaard 61e0d33
 ##
Mark Wielaard 61e0d33
-## Copyright (C) 2004, 2005, 2008, 2009, 2011 Red Hat, Inc.
Mark Wielaard 61e0d33
+## Copyright (C) 2004, 2005, 2008, 2009, 2011, 2015 Red Hat, Inc.
Mark Wielaard 61e0d33
 ## This file is part of elfutils.
Mark Wielaard 61e0d33
 ##
Mark Wielaard 61e0d33
 ## This file is free software; you can redistribute it and/or modify
Mark Wielaard 61e0d33
@@ -28,7 +28,7 @@
Mark Wielaard 61e0d33
 ## the GNU Lesser General Public License along with this program.  If
Mark Wielaard 61e0d33
 ## not, see <http://www.gnu.org/licenses/>.
Mark Wielaard 61e0d33
 ##
Mark Wielaard 61e0d33
-EXTRA_DIST = elfutils.spec.in known-dwarf.awk
Mark Wielaard 61e0d33
+EXTRA_DIST = elfutils.spec.in known-dwarf.awk 10-default-yama-scope.conf
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
 if MAINTAINER_MODE
Mark Wielaard 61e0d33
 $(srcdir)/elfutils.spec.in: $(top_srcdir)/NEWS
Mark Wielaard 61e0d33
diff --git a/config/elfutils.spec.in b/config/elfutils.spec.in
Mark Wielaard 61e0d33
index 5407f1a..e5f6e29 100644
Mark Wielaard 61e0d33
--- a/config/elfutils.spec.in
Mark Wielaard 61e0d33
+++ b/config/elfutils.spec.in
Mark Wielaard 61e0d33
@@ -10,6 +10,7 @@ Obsoletes: libelf libelf-devel
Mark Wielaard 61e0d33
 Requires: elfutils-libelf = %{version}-%{release}
Mark Wielaard 61e0d33
 Requires: glibc >= 2.7
Mark Wielaard 61e0d33
 Requires: libstdc++
Mark Wielaard 61e0d33
+Requires: default-yama-scope
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
 # ExcludeArch: xxx
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
@@ -97,6 +98,22 @@ Conflicts: libelf-devel
Mark Wielaard 61e0d33
 The elfutils-libelf-static package contains the static archive
Mark Wielaard 61e0d33
 for libelf.
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
+%package default-yama-scope
Mark Wielaard 61e0d33
+Summary: Default yama attach scope sysctl setting
Mark Wielaard 61e0d33
+Group: Development/Tools
Mark Wielaard 61e0d33
+License: GPLv2+ or LGPLv3+
Mark Wielaard 61e0d33
+Provides: default-yama-scope
Mark Wielaard 61e0d33
+BuildArch: noarch
Mark Wielaard 61e0d33
+
Mark Wielaard 61e0d33
+%description default-yama-scope
Mark Wielaard 61e0d33
+Yama sysctl setting to enable default attach scope settings
Mark Wielaard 61e0d33
+enabling programs to use ptrace attach, access to
Mark Wielaard 61e0d33
+/proc/PID/{mem,personality,stack,syscall}, and the syscalls
Mark Wielaard 61e0d33
+process_vm_readv and process_vm_writev which are used for
Mark Wielaard 61e0d33
+interprocess services, communication and introspection
Mark Wielaard 61e0d33
+(like synchronisation, signaling, debugging, tracing and
Mark Wielaard 61e0d33
+profiling) of processes.
Mark Wielaard 61e0d33
+
Mark Wielaard 61e0d33
 %prep
Mark Wielaard 61e0d33
 %setup -q
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
@@ -121,6 +138,8 @@ chmod +x ${RPM_BUILD_ROOT}%{_prefix}/%{_lib}/elfutils/lib*.so*
Mark Wielaard 61e0d33
   rm -f .%{_libdir}/libasm.a
Mark Wielaard 61e0d33
 }
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
+install -Dm0644 config/10-default-yama-scope.conf ${RPM_BUILD_ROOT}%{_sysctldir}/10-default-yama-scope.conf
Mark Wielaard 61e0d33
+
Mark Wielaard 61e0d33
 %check
Mark Wielaard 61e0d33
 make check
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
@@ -135,6 +154,9 @@ rm -rf ${RPM_BUILD_ROOT}
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
 %postun libelf -p /sbin/ldconfig
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
+%post default-yama-scope
Mark Wielaard 61e0d33
+%sysctl_apply 10-default-yama-scope.conf
Mark Wielaard 61e0d33
+
Mark Wielaard 61e0d33
 %files
Mark Wielaard 61e0d33
 %defattr(-,root,root)
Mark Wielaard 61e0d33
 %doc COPYING COPYING-GPLV2 COPYING-LGPLV3 README TODO CONTRIBUTING
Mark Wielaard 61e0d33
@@ -197,6 +219,9 @@ rm -rf ${RPM_BUILD_ROOT}
Mark Wielaard 61e0d33
 %files libelf-devel-static
Mark Wielaard 61e0d33
 %{_libdir}/libelf.a
Mark Wielaard 61e0d33
 
Mark Wielaard 61e0d33
+%files default-yama-scope
Mark Wielaard 61e0d33
+%config(noreplace) %{_sysctldir}/10-default-yama-scope.conf
Mark Wielaard 61e0d33
+
Mark Wielaard 61e0d33
 %changelog
Mark Wielaard 61e0d33
 * Fri Jun 19 2015 Mark Wielaard <mark@gmail.com> 0.163-1
Mark Wielaard 61e0d33
 - Bug fixes only, no new features.