2

The Yama security module is supposed to be able to prevent users from running the ptrace system call, yet even with kernel.yama.ptrace_scope set to 3, users can still run strace (which uses ptrace).

From the docs:

3 - no attach: no processes may use ptrace with PTRACE_ATTACH nor via
    PTRACE_TRACEME. Once set, this sysctl value cannot be changed.

The Yama module does seem to be loaded:

/var/log/dmesg:[    0.000127] Yama: becoming mindful.

This is on RHEL7, with SELinux also installed, which may be relevant. LSMs are supposed to be stackable, and I am seeing the above message in dmesg, so it appears to be active. As an aside, once set to 3, the sysctl value is immutable - I don't know if that implies that the Yama module is active or not.

Interestingly, on Ubuntu (without Apparmor, I believe), setting the value to 3 does prevent ptrace from running - running strace -p (as root) gives a permission denied error.

I'm concerned, as Yama is supposed to mitigate against a couple of other vulnerabilities.

It has just occurred to me to reboot without SELinux and see if it works in that contest - I'll update once I have done so.

Is Yama deprecated (there's a SELinux boolean which handles this behaviour - it's deny_ptrace)? I can find very little in the way of documentation.

UPDATE: (even without SElinux loaded yama does nothing)

Oct  2 12:30:00 xx kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.11.6.el7.x86_64 root=/dev/mapper/rpool-root ro crashkernel=auto rd.lvm.lv=rpool/root rd.lvm.lv=rpool/swap rhgb ipv6.disable=1 biosdevname=0 net.ifnames=0 quiet audit=1 fips=1 boot=/dev/sda1 audit=1 CONFIG_SECURITY_YAMA=y selinux=0
Oct  2 12:30:00 xx kernel: Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.11.6.el7.x86_64 root=/dev/mapper/rpool-root ro crashkernel=auto rd.lvm.lv=rpool/root rd.lvm.lv=rpool/swap rhgb ipv6.disable=1 biosdevname=0 net.ifnames=0 quiet audit=1 fips=1 boot=/dev/sda1 audit=1 CONFIG_SECURITY_YAMA=y selinux=0
Oct  2 12:30:00 xx kernel: SELinux:  Disabled at boot.
Oct  2 12:30:00 xx kernel: EVM: security.selinux
Oct  2 12:30:00 xx systemd[1]: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Oct  2 12:30:03 xx systemd: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)

And Yama still doesn't deny ptrace:

xx:root@~ #strace -p 2195
strace: Process 2195 attached
restart_syscall(<... resuming interrupted poll ...>strace: Process 2195 detached
 <detached ...>
xx:root@~ #sysctl -a -r yama
kernel.yama.ptrace_scope = 3
  • Not exactly related to yama, but on RHEL there is a SELinux boolean to disable ptrace. – sebasth Oct 02 '18 at 11:19
  • Yeah thanks - I did mention it, but should have given the value: it's deny_ptrace. With your advice on making selinux immutable, we may be able to forget about Yama. The Yama way is more flexible in that it has 3 possible values, although only '3' is immutable. – Graham Nicholls Oct 02 '18 at 11:20
  • Making SELinux immutable: https://unix.stackexchange.com/questions/472731/is-it-possible-to-prevent-a-change-in-selinux-status-without-a-reboot – Graham Nicholls Oct 16 '18 at 14:29

0 Answers0