[PATCH] lsm: yama: Check for PTRACE_MODE_READ_FSCREDS access
nicolas.bouchinet at oss.cyber.gouv.fr
nicolas.bouchinet at oss.cyber.gouv.fr
Fri Jul 18 08:47:22 UTC 2025
From: Nicolas Bouchinet <nicolas.bouchinet at ssi.gouv.fr>
Currently, yama only checks if the `PTRACE_MODE_ATTACH` mode is set
during the `yama_ptrace_access_check()` LSM hook implementation.
In cases of call with the `PTRACE_MODE_READ_FSCREDS` mode, nothing
happens. Thus, yama does not interact properly with the
"hidepid=ptraceable" option.
hidepid's "ptraceable" option being documented as follow :
- hidepid=ptraceable or hidepid=4 means that procfs should only contain
`/proc/<pid>/` directories that the caller can ptrace.
This patch simply add yama a `PTRACE_MODE_READ_FSCREDS` mode check to
enable an interaction with "hidepid=ptraceable".
Combined with hidepid=ptraceable, the following behaviors will then
happen while reading in `/proc/<pid>`:
- "restricted": A process that has a predefined relationship with the
inferior will see the inferior process in `/proc`.
- "admin-only": A process that has the CAP_SYS_PTRACE will be able to
see every processes in `/proc`.
- "no attach": A process will not see anything but itself in
`/proc/<pid>/`.
It is important to note that the combination of "hidepid=ptraceable" and
yama "no attach" also makes PIDs invisible to root.
No access reports are logged in case of denied access with
`PTRACE_MODE_READ_FSCREDS` to avoid flooding kernel logs.
Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet at ssi.gouv.fr>
---
security/yama/yama_lsm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 3d064dd4e03f9eaaf5258b37ad05641b35967995..63b589850a88d35dd6a08b23c14ba1a660e6f1b3 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -352,7 +352,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
int rc = 0;
/* require ptrace target be a child of ptracer on attach */
- if (mode & PTRACE_MODE_ATTACH) {
+ if (mode & (PTRACE_MODE_ATTACH | PTRACE_MODE_READ_FSCREDS)) {
switch (ptrace_scope) {
case YAMA_SCOPE_DISABLED:
/* No additional restrictions. */
@@ -380,7 +380,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
}
}
- if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0)
+ if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0 && (mode & PTRACE_MODE_ATTACH))
report_access("attach", child, current);
return rc;
---
base-commit: 5d8b97c946777118930e1cfb075cab59a139ca7c
change-id: 20250718-yama_fix-ea5c2c4b2fbe
Best regards,
--
Nicolas Bouchinet <nicolas.bouchinet at ssi.gouv.fr>
More information about the Linux-security-module-archive
mailing list