From b04828f858fa6d101099773d3156841fd6d33b6f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 11:01:41 +1000 Subject: [PATCH 1/3] Disable the usage of `ptrace()` by all processes --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 6 ++---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b6aa965..cbd2530 100644 --- a/README.md +++ b/README.md @@ -45,9 +45,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the - option to entirely disable the use of `ptrace()` for all processes. +- Disable the usage of `ptrace()` by all processes as it enables programs to + inspect and modify other active processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..1131b77 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -128,7 +128,7 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Disable the usage of ptrace() system calls by all processes. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. @@ -139,9 +139,7 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -## It is possible to harden further by disabling ptrace() for all users, see documentation. -## -kernel.yama.ptrace_scope=2 +kernel.yama.ptrace_scope=3 ## Maximize bits of entropy for improved effectiveness of mmap ASLR. ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). From 1c9f33f90606fb930744f1b9afc11caf87626194 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 13:24:08 +1000 Subject: [PATCH 2/3] Revert "Disable the usage of `ptrace()` by all processes" This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. --- README.md | 5 +++-- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cbd2530..b6aa965 100644 --- a/README.md +++ b/README.md @@ -45,8 +45,9 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- Disable the usage of `ptrace()` by all processes as it enables programs to - inspect and modify other active processes. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. Provide the + option to entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 1131b77..60440e5 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -128,7 +128,7 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Disable the usage of ptrace() system calls by all processes. +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. @@ -139,7 +139,9 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -kernel.yama.ptrace_scope=3 +## It is possible to harden further by disabling ptrace() for all users, see documentation. +## +kernel.yama.ptrace_scope=2 ## Maximize bits of entropy for improved effectiveness of mmap ASLR. ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). From 73979d4342dae2017be52d5182bb66fa28be398d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 13:28:59 +1000 Subject: [PATCH 3/3] Link to `ptrace()` discussion --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..9a95486 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -140,6 +140,7 @@ kernel.io_uring_disabled=2 ## https://github.com/netblue30/firejail/issues/2860 ## ## It is possible to harden further by disabling ptrace() for all users, see documentation. +## https://github.com/Kicksecure/security-misc/pull/242 ## kernel.yama.ptrace_scope=2