Yama security module not enabled in kernel

[chrisjohgorman]

Hello All,

In experimenting with some of the newer kernels I have found that CONFIG_SECURITY_YAMA is disabled in GalliumOS. This leads to the failure of /etc/sysctl.d/10-ptrace.conf which tries to set /proc/sys/kernel/yama/ptrace_scope to 1.

We should either enable CONFIG_SECURITY_YAMA or disable 10-ptrace.conf. Yama is enabled in the default Ubuntu 18.04 with the intent of preventing a malicious attacker from attaching to running processes to examine them with tools like gdb and strace.

For more information on this and a better description of the security reasons for enabling this, please see your kernel Documentation/admin-guide/LSM/Yama.rst.

My machine specs are ... dmidecode -s system-product-name Banon My firmware is essentially MattDevo. (He helped me build my own firmware from his git tree.') My installation method was ISO. And to reproduce the problem build kernel 5.2 and look at the dmesg output. The kernel can't set /proc/sys/kernel/yama/ptrace_scope.

Chris

[OS-WS]

Hi, Is there any plan to address this vulnerability? Note that it appears that CVE-2019-15325 was assigned to this issue.