Re: F44 Change Proposal: Mitigate vulnerabilities/attacks by enabling kernel.kptr_restrict and net.core.bpf_jit_harden by default, and by obsoleting a package that risks to accidentally disable kernel.yama.ptrace_scope by default [SystemWide]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The initial discussion link is cut-off for me both on hyperkitty and thunderbird, so I'm gonna try reposting it: 
https://discussion.fedoraproject.org/t/increase-security-by-adjusting-kernel-settings-by-default-kernel-yama-ptrace-scope-net-core-bpf-jit-harden-both-defaulting-to-1

To sum up what I said over there already that is worth knowing:
- YAMA was enabled in the Fedora kernel without changing any of the defaults
- `kernel.yama.ptrace_scope` is 1 by default in the upstream kernel and thus also in the Fedora kernel - its set to 0 by the `elfutils-default-yama-scope` package which is dependent on by `elfutils-libs` so thats elfutils can work with processes that are not its children. - systemd depnds on `elfutils-libs` so this this change is effectively system-wide 

Some addititional info and bugzilla links to read up on prior history:
- the upstream kernel believes that having it on by default is best
- the fedora kernel maintainers at the time (2015) did not want to maintain a patch 
- turning off yama was also rejected
- the elfutils package added the config as a bugfix with no change proposal or fesco approval I could find despite having system-wide ramifications 
https://bugzilla.redhat.com/show_bug.cgi?id=1196825
https://bugzilla.redhat.com/show_bug.cgi?id=1209492
https://bugzilla.redhat.com/show_bug.cgi?id=1234951
https://bugzilla.redhat.com/show_bug.cgi?id=1250079
https://bugzilla.redhat.com/show_bug.cgi?id=1250178

Some personal thoughts:
- Other distros already default to the ptrace protection to 1 and seem to work without any well known problems, what would break on Fedora? (besides arbitrary debugging setups which I consider to be invalid arguments) - tools like gdb or strace are most often than not used on child processes that the tool itself spawned with all other uses cases being behind 1 config change that could be done either system-wide via an optional package or by running a single command as root at runtime, we shouldn't give applications arbitrary access to other applications just so developers won't have to run 1 command 

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux