Bugzilla – Bug 1226460
AUDIT-WHITELIST: aaa_base: sysctl.d/52-yama.conf
Last modified: 2024-07-05 12:39:23 UTC
As discussed in several threads, to make it easier for developers to enable ptrace again for development, aaa_base has a new sub-package with a sysctl.d file for this: aaa_base-yama-enable-ptrace /usr/lib/sysctl.d/52-yama.conf
Thank you for creating the AUDIT bug. We will schedule the review and whitelisting.
I'll handle this together with bug 1226464
Adding the sub-package for opting out of this is all right, but the way the change has been implemented seems wrong to me. The file /usr/lib/sysctl.d/52-yama.conf has been removed from the aaa_base main package, and now it is packaged in the aaa_base-yama-enable-ptrace sub-package instead. It's content changed as follows: -# legitimate usecases. --kernel.yama.ptrace_scope = 1 +# legitimate usecases, such as calling strace or gdb on other processes. +-kernel.yama.ptrace_scope = 0 This means the ptrace limitation is removed completely, and installing the sub-package doesn't do anything at all anymore. I'd say what is needed here is an additional sysctl.d drop-in file with higher priority like 53-yama-dev.conf, packaged in the new sub-package, while the previous version of 52-yama.conf, which sets ptrace_scope = 1, needs to stay in the main package.
It seems to be all right after all. The default setting of the YAMA security module for ptrace_scope is 1, and always has been. Thus dropping the sysctl file from aaa_base is okay, and only installing the new sub-package will change the scope to 0. This detail was not clear to me from looking at the commit that changed this. I will initiate the process for adjusting the whitelistings.
This is an autogenerated message for OBS integration: This bug (1226460) was mentioned in https://build.opensuse.org/request/show/1183027 Factory / rpmlint
the whitelisting is now in Factory, closing as fixed