lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250718-yama_fix-v1-1-a51455359e67@ssi.gouv.fr>
Date: Fri, 18 Jul 2025 10:47:22 +0200
From: nicolas.bouchinet@....cyber.gouv.fr
To: Kees Cook <kees@...nel.org>, Paul Moore <paul@...l-moore.com>, 
 James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, 
 Olivier Bal-Petre <olivier.bal-petre@....cyber.gouv.fr>, 
 Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
Subject: [PATCH] lsm: yama: Check for PTRACE_MODE_READ_FSCREDS access

From: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>

Currently, yama only checks if the `PTRACE_MODE_ATTACH` mode is set
during the `yama_ptrace_access_check()` LSM hook implementation.

In cases of call with the `PTRACE_MODE_READ_FSCREDS` mode, nothing
happens. Thus, yama does not interact properly with the
"hidepid=ptraceable" option.

hidepid's "ptraceable" option being documented as follow :

- hidepid=ptraceable or hidepid=4 means that procfs should only contain
  `/proc/<pid>/` directories that the caller can ptrace.

This patch simply add yama a `PTRACE_MODE_READ_FSCREDS` mode check to
enable an interaction with "hidepid=ptraceable".

Combined with hidepid=ptraceable, the following behaviors will then
happen while reading in `/proc/<pid>`:

- "restricted": A process that has a predefined relationship with the
  inferior will see the inferior process in `/proc`.

- "admin-only": A process that has the CAP_SYS_PTRACE will be able to
  see every processes in `/proc`.

- "no attach": A process will not see anything but itself in
  `/proc/<pid>/`.

It is important to note that the combination of "hidepid=ptraceable" and
yama "no attach" also makes PIDs invisible to root.

No access reports are logged in case of denied access with
`PTRACE_MODE_READ_FSCREDS` to avoid flooding kernel logs.

Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
---
 security/yama/yama_lsm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 3d064dd4e03f9eaaf5258b37ad05641b35967995..63b589850a88d35dd6a08b23c14ba1a660e6f1b3 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -352,7 +352,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
 	int rc = 0;
 
 	/* require ptrace target be a child of ptracer on attach */
-	if (mode & PTRACE_MODE_ATTACH) {
+	if (mode & (PTRACE_MODE_ATTACH | PTRACE_MODE_READ_FSCREDS)) {
 		switch (ptrace_scope) {
 		case YAMA_SCOPE_DISABLED:
 			/* No additional restrictions. */
@@ -380,7 +380,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
 		}
 	}
 
-	if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0)
+	if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0 && (mode & PTRACE_MODE_ATTACH))
 		report_access("attach", child, current);
 
 	return rc;

---
base-commit: 5d8b97c946777118930e1cfb075cab59a139ca7c
change-id: 20250718-yama_fix-ea5c2c4b2fbe

Best regards,
-- 
Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ