security: allow Yama to be unconditionally stacked
Unconditionally call Yama when CONFIG_SECURITY_YAMA_STACKED is selected,
no matter what LSM module is primary.
Ubuntu and Chrome OS already carry patches to do this, and Fedora
has voiced interest in doing this as well. Instead of having multiple
distributions (or LSM authors) carrying these patches, just allow Yama
to be called unconditionally when selected by the new CONFIG.
Signed-off-by: Kees Cook <email address hidden>
Acked-by: Serge E. Hallyn <email address hidden>
Acked-by: Eric Paris <email address hidden>
Acked-by: John Johansen <email address hidden>
Signed-off-by: James Morris <email address hidden>
(cherry picked from c6993e4ac002c92bc75379212e9179c36d4bf7ee)
Signed-off-by: Tyler Hicks <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>
Yama: higher restrictions should block PTRACE_TRACEME
The higher ptrace restriction levels should be blocking even
PTRACE_TRACEME requests. The comments in the LSM documentation are
misleading about when the checks happen (the parent does not go through
security_ptrace_access_check() on a PTRACE_TRACEME call).
Signed-off-by: Kees Cook <email address hidden>
Cc: <email address hidden> # 3.5.x and later
Signed-off-by: James Morris <email address hidden>
(back ported from 9d8dad742ad1c74d7e7210ee05d0b44961d5ea16)
[tyhicks: pull in task_user_ns() from commit f1c84dae0ecc51aa]
Signed-off-by: Tyler Hicks <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>
This expands the available Yama ptrace restrictions to include two more
modes. Mode 2 requires CAP_SYS_PTRACE for PTRACE_ATTACH, and mode 3
completely disables PTRACE_ATTACH (and locks the sysctl).
For a process to entirely disable Yama ptrace restrictions, it can use
the special PR_SET_PTRACER_ANY pid to indicate that any otherwise allowed
process may ptrace it. This is stronger than calling PR_SET_PTRACER with
pid "1" because it includes processes in external pid namespaces. This is
currently needed by the Chrome renderer, since its crash handler (Breakpad)
runs external to the renderer's pid namespace.