security: Yama LSM

	- how to get started with the SELinux security enhancement.

Smack.txt

	- documentation on the Smack Linux Security Module.

Yama.txt

	- documentation on the Yama Linux Security Module.

apparmor.txt

	- documentation on the AppArmor security extension.

credentials.txt

Yama is a Linux Security Module that collects a number of system-wide DAC

security protections that are not handled by the core kernel itself. To

select it at boot time, specify "security=yama" (though this will disable

any other LSM).

Yama is controlled through sysctl in /proc/sys/kernel/yama:

- ptrace_scope

==============================================================

ptrace_scope:

As Linux grows in popularity, it will become a larger target for

malware. One particularly troubling weakness of the Linux process

interfaces is that a single user is able to examine the memory and

running state of any of their processes. For example, if one application

(e.g. Pidgin) was compromised, it would be possible for an attacker to

attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,

etc) to extract additional credentials and continue to expand the scope

of their attack without resorting to user-assisted phishing.

This is not a theoretical problem. SSH session hijacking

(http://www.storm.net.nz/projects/7) and arbitrary code injection

(http://c-skills.blogspot.com/2007/05/injectso.html) attacks already

exist and remain possible if ptrace is allowed to operate as before.

Since ptrace is not commonly used by non-developers and non-admins, system

builders should be allowed the option to disable this debugging system.

For a solution, some applications use prctl(PR_SET_DUMPABLE, ...) to

specifically disallow such ptrace attachment (e.g. ssh-agent), but many

do not. A more general solution is to only allow ptrace directly from a

parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still

work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID"

still work as root).

For software that has defined application-specific relationships

between a debugging process and its inferior (crash handlers, etc),

prctl(PR_SET_PTRACER, pid, ...) can be used. An inferior can declare which

other process (and its descendents) are allowed to call PTRACE_ATTACH

against it. Only one such declared debugging process can exists for

each inferior at a time. For example, this is used by KDE, Chromium, and

Firefox's crash handlers, and by Wine for allowing only Wine processes

to ptrace each other.

0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other

    process running under the same uid, as long as it is dumpable (i.e.

    did not transition uids, start privileged, or have called

    prctl(PR_SET_DUMPABLE...) already).

1 - restricted ptrace: a process must have a predefined relationship

    with the inferior it wants to call PTRACE_ATTACH on. By default,

    this relationship is that of only its descendants when the above

    classic criteria is also met. To change the relationship, an

    inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare

    an allowed debugger PID to call PTRACE_ATTACH on the inferior.

The original children-only logic was based on the restrictions in grsecurity.

==============================================================

# define PR_SET_MM_START_BRK		6

# define PR_SET_MM_BRK			7

/*

 * Set specific pid that is allowed to ptrace the current task.

 * A value of 0 mean "no process".

 */

#define PR_SET_PTRACER 0x59616d61

#endif /* _LINUX_PRCTL_H */

source security/smack/Kconfig

source security/tomoyo/Kconfig

source security/apparmor/Kconfig

source security/yama/Kconfig

source security/integrity/Kconfig

	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK

	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO

	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR

	default DEFAULT_SECURITY_YAMA if SECURITY_YAMA

	default DEFAULT_SECURITY_DAC

	help

	config DEFAULT_SECURITY_APPARMOR

		bool "AppArmor" if SECURITY_APPARMOR=y

	config DEFAULT_SECURITY_YAMA

		bool "Yama" if SECURITY_YAMA=y

	config DEFAULT_SECURITY_DAC

		bool "Unix Discretionary Access Controls"

	default "smack" if DEFAULT_SECURITY_SMACK

	default "tomoyo" if DEFAULT_SECURITY_TOMOYO

	default "apparmor" if DEFAULT_SECURITY_APPARMOR

	default "yama" if DEFAULT_SECURITY_YAMA

	default "" if DEFAULT_SECURITY_DAC

endmenu

subdir-$(CONFIG_SECURITY_SMACK)		+= smack

subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo

subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor

subdir-$(CONFIG_SECURITY_YAMA)		+= yama

# always enable default capabilities

obj-y					+= commoncap.o

obj-$(CONFIG_AUDIT)			+= lsm_audit.o

obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/built-in.o

obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/built-in.o

obj-$(CONFIG_SECURITY_YAMA)		+= yama/built-in.o

obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o

# Object integrity file lists