Kicksecure
Enhance Yama protections with `proc_mem.force_override=ptrace`
proc_mem.force_override=ptrace
This essentially prevents a process from directly modifying its own memory mappings unless it is privileged.
https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201
https://lwn.net/Articles/983169/
While kernel.yama.ptrace_scope effectively protects other processes, it does not prevent a compromised process from modifying its own protected memory pages. This creates a security gap, as self-modification can be exploited to trigger race condition vulnerabilities (e.g., CVE-2022-2590)!
I like this inclusion and after testing it have not come across any problems my self.
It makes logical sense and was certainly overlooked by the existing settings. Thanks for bringing it to our attention!
If no one objects to the inclusion, the choice is then either using proc_mem.force_override=ptrace or proc_mem.force_override=never.
Given that ptrace() is now disabled as per https://github.com/Kicksecure/security-misc/pull/322, it should not really matter. Using the former as you suggest is a good idea while also being easier to work with if re-enabling debugging. The latter is more strict as it removes all dependence on ptrace() but requires more effort for re-enabling debugging purposes.
Note that this parameter was added in kernel version 6.12 and so definitely merits inclusions prior to the pending release of Kicksecure 18 which will be based on Debian 13 which runs this kernel version.