Bugzilla – Bug 1219656
AUDIT-WHITELIST: aaa_base: sysctl-file-digest-mismatch /usr/lib/sysctl.d/52-yama.conf
Last modified: 2024-02-19 13:00:57 UTC
Last upload of aaa_base https://build.opensuse.org/request/show/1143637 has triggered: [ 25s] aaa_base.i586: E: sysctl-file-digest-mismatch (Badness: 10000) /usr/lib/sysctl.d/52-yama.conf expected sha256:e874c084daaf0035d29687ec65275ad5b429ca312b72ef7f6362d2fd9d5bcc46, has:f801b862fe65a66ff56283254946e86016212977dd8583ac65d1a650b94131a8 [ 25s] A whitelisting related sysctl.d drop-in file changed in content. Packaging [ 25s] sysctl.d drop in configuration files requires a review and whitelisting by the [ 25s] SUSE security team. If the package is intended for inclusion in any SUSE [ 25s] product please open a bug report to request review of the package by the [ 25s] security team. Please refer to [ 25s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 25s] more information. Thank you.
Thanks for the bug report. We will schedule it in our team shortly.
The change enables a ptrace() hardening in the Yama LSM. > --kernel.yama.ptrace_scope = 0 > +-kernel.yama.ptrace_scope = 1 Good!
For the curious: https://www.kernel.org/doc/Documentation/security/Yama.txt > 1 - restricted ptrace: a process must have a predefined relationship > with the inferior it wants to call PTRACE_ATTACH on. By default, > this relationship is that of only its descendants when the above > classic criteria is also met. To change the relationship, an > inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare > an allowed debugger PID to call PTRACE_ATTACH on the inferior. > Using PTRACE_TRACEME is unchanged. Whitelisting in progress: https://github.com/rpm-software-management/rpmlint/pull/1187
This is an autogenerated message for OBS integration: This bug (1219656) was mentioned in https://build.opensuse.org/request/show/1145135 Factory / rpmlint
The whitelisting is now in Factory, closing as fixed.