The Yama security module is supposed to be able to prevent users from running the ptrace system call, yet even with kernel.yama.ptrace_scope set to 3, users can still run strace (which uses ptrace).
From the docs:
3 - no attach: no processes may use ptrace with PTRACE_ATTACH nor via
PTRACE_TRACEME. Once set, this sysctl value cannot be changed.
The Yama module does seem to be loaded:
/var/log/dmesg:[ 0.000127] Yama: becoming mindful.
This is on RHEL7, with SELinux also installed, which may be relevant. LSMs are supposed to be stackable, and I am seeing the above message in dmesg, so it appears to be active. As an aside, once set to 3, the sysctl value is immutable - I don't know if that implies that the Yama module is active or not.
Interestingly, on Ubuntu (without Apparmor, I believe), setting the value to 3 does prevent ptrace from running - running strace -p (as root) gives a permission denied error.
I'm concerned, as Yama is supposed to mitigate against a couple of other vulnerabilities.
It has just occurred to me to reboot without SELinux and see if it works in that contest - I'll update once I have done so.
Is Yama deprecated (there's a SELinux boolean which handles this behaviour - it's deny_ptrace
)? I can find very little in the way of documentation.
UPDATE: (even without SElinux loaded yama does nothing)
Oct 2 12:30:00 xx kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.11.6.el7.x86_64 root=/dev/mapper/rpool-root ro crashkernel=auto rd.lvm.lv=rpool/root rd.lvm.lv=rpool/swap rhgb ipv6.disable=1 biosdevname=0 net.ifnames=0 quiet audit=1 fips=1 boot=/dev/sda1 audit=1 CONFIG_SECURITY_YAMA=y selinux=0
Oct 2 12:30:00 xx kernel: Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.11.6.el7.x86_64 root=/dev/mapper/rpool-root ro crashkernel=auto rd.lvm.lv=rpool/root rd.lvm.lv=rpool/swap rhgb ipv6.disable=1 biosdevname=0 net.ifnames=0 quiet audit=1 fips=1 boot=/dev/sda1 audit=1 CONFIG_SECURITY_YAMA=y selinux=0
Oct 2 12:30:00 xx kernel: SELinux: Disabled at boot.
Oct 2 12:30:00 xx kernel: EVM: security.selinux
Oct 2 12:30:00 xx systemd[1]: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Oct 2 12:30:03 xx systemd: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
And Yama still doesn't deny ptrace:
xx:root@~ #strace -p 2195
strace: Process 2195 attached
restart_syscall(<... resuming interrupted poll ...>strace: Process 2195 detached
<detached ...>
xx:root@~ #sysctl -a -r yama
kernel.yama.ptrace_scope = 3