Bug 1219656

Summary: AUDIT-WHITELIST: aaa_base: sysctl-file-digest-mismatch /usr/lib/sysctl.d/52-yama.conf
Product: [openSUSE] openSUSE Tumbleweed Reporter: Ana Guerrero <ana.guerrero>
Component: SecurityAssignee: Wolfgang Frisch <wolfgang.frisch>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ana Guerrero 2024-02-07 07:34:34 UTC 
Last upload of aaa_base https://build.opensuse.org/request/show/1143637 has triggered:

[   25s] aaa_base.i586: E: sysctl-file-digest-mismatch (Badness: 10000) /usr/lib/sysctl.d/52-yama.conf expected sha256:e874c084daaf0035d29687ec65275ad5b429ca312b72ef7f6362d2fd9d5bcc46, has:f801b862fe65a66ff56283254946e86016212977dd8583ac65d1a650b94131a8
[   25s] A whitelisting related sysctl.d drop-in file changed in content. Packaging
[   25s] sysctl.d drop in configuration files requires a review and whitelisting by the
[   25s] SUSE security team. If the package is intended for inclusion in any SUSE
[   25s] product please open a bug report to request review of the package by the
[   25s] security team. Please refer to
[   25s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   25s] more information.

Thank you.
Comment 1 Wolfgang Frisch 2024-02-07 08:09:33 UTC 
Thanks for the bug report.
We will schedule it in our team shortly.
Comment 2 Wolfgang Frisch 2024-02-07 09:05:47 UTC 
The change enables a ptrace() hardening in the Yama LSM.

> --kernel.yama.ptrace_scope = 0
> +-kernel.yama.ptrace_scope = 1

Good!
Comment 3 Wolfgang Frisch 2024-02-07 09:12:02 UTC 
For the curious: https://www.kernel.org/doc/Documentation/security/Yama.txt

> 1 - restricted ptrace: a process must have a predefined relationship
>     with the inferior it wants to call PTRACE_ATTACH on. By default,
>     this relationship is that of only its descendants when the above
>     classic criteria is also met. To change the relationship, an
>     inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare
>     an allowed debugger PID to call PTRACE_ATTACH on the inferior.
>     Using PTRACE_TRACEME is unchanged.

Whitelisting in progress:
https://github.com/rpm-software-management/rpmlint/pull/1187
Comment 4 OBSbugzilla Bot 2024-02-08 11:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1219656) was mentioned in
https://build.opensuse.org/request/show/1145135 Factory / rpmlint
Comment 5 Matthias Gerstner 2024-02-13 09:43:22 UTC 
The whitelisting is now in Factory, closing as fixed.