search

GalliumOS / galliumos-distro

Docs, issues, and artwork sources for GalliumOS
https://galliumos.org/
GNU General Public License v2.0
349 stars 11 forks source link

Yama security module not enabled in kernel #514

Open chrisjohgorman opened 5 years ago

chrisjohgorman commented 5 years ago

Hello All,

In experimenting with some of the newer kernels I have found that CONFIG_SECURITY_YAMA is disabled in GalliumOS. This leads to the failure of /etc/sysctl.d/10-ptrace.conf which tries to set /proc/sys/kernel/yama/ptrace_scope to 1.

We should either enable CONFIG_SECURITY_YAMA or disable 10-ptrace.conf. Yama is enabled in the default Ubuntu 18.04 with the intent of preventing a malicious attacker from attaching to running processes to examine them with tools like gdb and strace.

For more information on this and a better description of the security reasons for enabling this, please see your kernel Documentation/admin-guide/LSM/Yama.rst.

My machine specs are ... dmidecode -s system-product-name Banon My firmware is essentially MattDevo. (He helped me build my own firmware from his git tree.') My installation method was ISO. And to reproduce the problem build kernel 5.2 and look at the dmesg output. The kernel can't set /proc/sys/kernel/yama/ptrace_scope.

Chris

OS-WS commented 3 years ago

Hi, Is there any plan to address this vulnerability? Note that it appears that CVE-2019-15325 was assigned to this issue.