Source: linux Severity: wishlist X-Debbugs-Cc: tails-...@boum.org Hi,
TL;DR -> please enable enable SECURITY and SECURITY_YAMA_STACKED. as the maintainers of the Debian Linux kernel surely know, the Yama LSM "collects a number of system-wide DAC security protections that are not handled by the core kernel itself", including ptrace scope restrictions on which user/process can examine the memory and running state of other processes. Details can be found in Documentation/security/Yama.txt. It was considered [1] for backporting in the Wheezy kernel, but did not make it eventually. Yama is part of the mainline Linux kernel since 3.4. Moreover, since Linux 3.7, the Yama LSM can be automatically stacked regardless of which security module is the "primary" module, so it's compatible with AppArmor. [1] https://lists.debian.org/debian-kernel/2012/06/msg00074.html I've been testing Yama, combined with AppArmor, on my main Wheezy desktop system since February, compiling every kernel from Debian experimental (starting with 3.7.8-1~experimental.1, until current 3.8.5-1~experimental.1) with the `SECURITY_YAMA` and `SECURITY_YAMA_STACKED` options enabled. I've not noticed any regression. Regarding the ptrace_scope setting: * The default is "1" (restricted ptrace). * Ubuntu has been running with something equivalent to the default mode ("1") since 10.10, so most serious blockers should have been resolved hopefully. * I've been running it in the stricter "2 - admin-only attach" mode, instead of the default "1 - restricted ptrace" one, and did not notice any issue. However, this setting is supposed to break various crash handlers, so it's probably not an option for default Debian installations. So, I suggest we keep the default value ("1") for Jessie. The beginning of the Jessie development cycle seems like a good time to bring such changes in, so I suggest Yama is enabled in our 3.8+ kernels once the kernel team is done with their last Wheezy-related urgent tasks :) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85bo9tyvdm....@boum.org
