Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-26 20:06:26 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'raja/stop_ptrace' into arraybolt3/trixie

Browse source
This commit is contained in:
Aaron Rainbolt 2025-10-15 18:18:33 -05:00
commit 35fce26476
No known key found for this signature in database
GPG key ID: A709160D73C79109
3 changed files with 34 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

24
usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared Normal file
View file

@ -0,0 +1,24 @@
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
## Diable the usage of the ptrace() system call by all processes.
## Restrict ptrace() as it enables programs to inspect and modify other active processes.
## Prevents native code debugging which some programs use as a method to detect tampering.
## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
##
## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
## https://en.wikipedia.org/wiki/Ptrace
## https://grapheneos.org/features#attack-surface-reduction
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
## https://github.com/netblue30/firejail/issues/2860
##
## KSPP=yes
## KSPP sets the sysctl.
##
kernel.yama.ptrace_scope=3

13
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -234,8 +234,8 @@ kernel.io_uring_disabled=2
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
## Limit ptrace() as it enables programs to inspect and modify other active processes.
## Diable the usage of the ptrace() system call by all processes.
## Restrict ptrace() as it enables programs to inspect and modify other active processes.
## Prevents native code debugging which some programs use as a method to detect tampering.
## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
##
@ -245,13 +245,12 @@ kernel.io_uring_disabled=2
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
## https://github.com/netblue30/firejail/issues/2860
##
## KSPP=partial
## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
## KSPP=yes
## KSPP sets the sysctl.
##
## It is possible to harden further by disabling ptrace() for all users, see documentation.
## https://github.com/Kicksecure/security-misc/pull/242
## See /usr/lib/sysctl.d/30_security_misc-ptrace-disable.conf for implementation.
##
kernel.yama.ptrace_scope=2
#kernel.yama.ptrace_scope=3
## Maximize bits of entropy for improved effectiveness of mmap ASLR.
## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).