kernel: Enable Yama security module.

Enable the Yama LSM and set kernel.yama.ptrace_scope to 1; restricting how processes can use ptrace. For more information see https://www.kernel.org/doc/Documentation/security/Yama.txt Signed-off-by: Samuel Mendoza-Jonas <[email protected]>
bottlerocket-os · Oct 18, 2019 · b1f222f · b1f222f
1 parent 0508365
commit b1f222f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/packages/kernel/config-thar b/packages/kernel/config-thar
@@ -21,3 +21,6 @@ CONFIG_BLK_DEV_DM=y
 CONFIG_DAX=y
 CONFIG_DM_INIT=y
 CONFIG_DM_VERITY=y
+
+# yama LSM for ptrace restrictions
+CONFIG_SECURITY_YAMA=y
diff --git a/packages/release/release-sysctl.conf b/packages/release/release-sysctl.conf
@@ -38,6 +38,9 @@ kernel.dmesg_restrict = 1
 # Turn off kexec, even if it's built in.
 kernel.kexec_load_disabled = 1
 
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope = 1
+
 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
 user.max_user_namespaces = 0