Wiki: https://fedoraproject.org/wiki/Changes/Restrict_ptrace_by_default
Discussion Thread: https://discussion.fedoraproject.org/t/180476 **This is a proposed Change for Fedora Linux.** This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == By default, disable *some* debugging permissions for unprivileged users using a system-wide kernel setting, so malware cannot inspect other preexisting processes of an unprivileged user. When debugging tools are installed, re-enable *full* normal functionality system-wide using a sysctl file, as is the status quo up to Fedora 44. This is a *compromise* proposal to followup several failures to achieve a consensus. == Owner == * Name: [[User:FChE| Frank Ch. Eigler]] [[User:MJW| Mark Wielaard]] [[User:py0xc3| Christopher Klooz]] * Email: <code>[email protected]</code> <code>[email protected]</code> <code> [email protected]</code> == Detailed Description == ptrace is a kernel API that enables debugging-like tools to inspect and take control of processes and their data on a linux system. It is essential for profilers and debuggers. The linux environment traditionally allows a user to ptrace (debug) only their own processes, but does not restrict processes to ptrace other processes of the same user. A few years ago, a linux security module called [ https://www.kernel.org/doc/Documentation/admin-guide/LSM/Yama.rst yama] was added to the kernel to further limit ptrace to *child* processes only. This mode allows debuggers and profilers to *start* child processes to inspect, but not to attach to another preexisting process, even if it belongs to the same user. This mode setting does not affect processing core files nor *producing core dumps*. Also, this mode setting does not affect *root*. Since yama broke several use cases for developers, Fedora included an override sysctl.d file in the <code>elfutils-default-yama-scope</code> subpackage, which was required by a low-level *library* required by core Fedora userspace, thus installed on every Fedora system. This means on current Fedora versions, yama is disabled and ptrace operations are generally permitted. The kernel default is that yama is enabled. Most Linux distributions adopted the kernel default (e.g., Arch, openSuSE, Ubuntu), others disabled yama like Fedora (e.g., Debian). But other distributions do not necessarily reflect the best compromise for Fedora. This proposal implements a compromise of different stakeholders about an acceptable balance between security advantages of yama and the user experience for developers: The kernel yama linux security module setting enabled is systemwide, which restricts ptrace for those fedora machines where no debugging type tools are installed, but ptrace is fully enabled (disabling yama) once one is installed. Specifically: * Remove the <code>Requires: default-yama-scope</code> dependency from <code>elfutils-libs</code> * For handling upgrades, add <code>Obsoletes: elfutils-default-yama-scope</code> there. * Rename <code>elfutils-default-yama-scope</code> to <code>yama-ptrace-enable</code>. * Add <code>Recommends: yama-ptrace-enable</code> (or Requires: if appropriate) to each debugger type tool that customarily uses non-child ptrace functionality. None of these packages is installed by default in common composes. ** <code>elfutils</code> ** <code>systemtap</code> ** <code>gdb</code> (currently Recommends: default-yama-scope) ** <code>lldb</code> ** <code>delve</code> ** <code>strace</code> ** <code>ltrace</code> ** <code>.......</code> == Feedback == Suggestions related to this have been brought up several times over the years, generally arousing controversy. Most recently, [[Changes/Restrict_ptrace_for_unprivileged_users_to_child_processes_to_match_kernel_default]] was rejected by FESCO, inviting this present change as compromise alternative. == Benefit to Fedora == Potential security benefit in some conditions from malicious or captured processes that become unable to inspect a user's other processes, which may hold crypto or other secrets that *might* be hard to penetrate otherwise. == Scope == * Proposal owners: Tweak <code>elfutils</code> subpackages as above. File bugs against known ptrace-dependent packages to notify them of the change. * Other developers: Packagers of debugging / profiling tools that may customarily operate in non-child mode need to add a <code>Recommends: yama-ptrace-enable</code> or similar to their .spec files. * Release engineering: [ https://forge.fedoraproject.org/releng/tickets/issues/13191 forge 13191] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: Security while still embracing developers and other users. == Upgrade/compatibility impact == Machines upgraded from previous versions of Fedora, without any of the non-child ptrace debugger type tools installed, should have the elfutils sysctl file removed. (If FESCO prefers upgrades not to default to the new behaviour, we can omit this part by dropping the "Obsoletes:" part above.) Machines being upgraded with those non-child ptrace tools already installed should get the file preserved. Machines that have any debugger-type tools installed should fully work with non-child "-p $PID" type operation. == Early Testing (Optional) == Do you require 'QA Blueprint' support? Y/N == How To Test == # Run a Fedora live-image or install a Fedora image. # Verify that <code>sysctl -a | grep yama</code> shows <code>kernel.yama.ptrace_scope = 1</code>. # Install <code>elfutils</code> or another similar package. # Verify that <code>sysctl -a | grep yama</code> shows <code>kernel.yama.ptrace_scope = 0</code>. # Verify that <code>eu-stack -v -p $$</code> works. == User Experience == Users should not generally notice a difference, unless they use debugger-like packages that do not follow the above "Recommend:" migration path, or are hand-compiled or script-language-based. == Dependencies == Debugger type tools that customarily enable non-child ptrace operations should be packaged with the new RPM dependency. Interpreted programming language runtimes that expose ptrace incidentally should probably not be packaged with this new dependency. Programs written in these languages, packaged into separate RPMs, should. == Contingency Plan == * Contingency mechanism: Restore status quo ante in <code>elfutils.spec</code>. * Contingency deadline: Any time before release compose. * Blocks release? No. == Documentation == "With Fedora 45, the [ https://www.kernel.org/doc/Documentation/admin-guide/LSM/Yama.rst kernel] restricts ptrace debugging-type operations in some ways by default, as a security measure. When a debugger-type package is installed, full traditional ptrace functionality is enabled. Install the <code>yama-ptrace-enable</code> package manually if needed." == Release Notes == \n
-- _______________________________________________ devel-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
