[PATCH] lsm: yama: Check for PTRACE_MODE_READ_FSCREDS access

Nicolas Bouchinet nicolas.bouchinet at oss.cyber.gouv.fr
Fri Jul 18 09:11:48 UTC 2025 

Note that a hidepid patch has also been sent [1].

[1]: https://lore.kernel.org/all/20250718-hidepid_fix-v1-1-3fd5566980bc@ssi.gouv.fr/

Best regards,

Nicolas

On 7/18/25 10:47, nicolas.bouchinet at oss.cyber.gouv.fr wrote:
> From: Nicolas Bouchinet <nicolas.bouchinet at ssi.gouv.fr>
>
> Currently, yama only checks if the `PTRACE_MODE_ATTACH` mode is set
> during the `yama_ptrace_access_check()` LSM hook implementation.
>
> In cases of call with the `PTRACE_MODE_READ_FSCREDS` mode, nothing
> happens. Thus, yama does not interact properly with the
> "hidepid=ptraceable" option.
>
> hidepid's "ptraceable" option being documented as follow :
>
> - hidepid=ptraceable or hidepid=4 means that procfs should only contain
>    `/proc/<pid>/` directories that the caller can ptrace.
>
> This patch simply add yama a `PTRACE_MODE_READ_FSCREDS` mode check to
> enable an interaction with "hidepid=ptraceable".
>
> Combined with hidepid=ptraceable, the following behaviors will then
> happen while reading in `/proc/<pid>`:
>
> - "restricted": A process that has a predefined relationship with the
>    inferior will see the inferior process in `/proc`.
>
> - "admin-only": A process that has the CAP_SYS_PTRACE will be able to
>    see every processes in `/proc`.
>
> - "no attach": A process will not see anything but itself in
>    `/proc/<pid>/`.
>
> It is important to note that the combination of "hidepid=ptraceable" and
> yama "no attach" also makes PIDs invisible to root.
>
> No access reports are logged in case of denied access with
> `PTRACE_MODE_READ_FSCREDS` to avoid flooding kernel logs.
>
> Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet at ssi.gouv.fr>
> ---
>   security/yama/yama_lsm.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
> index 3d064dd4e03f9eaaf5258b37ad05641b35967995..63b589850a88d35dd6a08b23c14ba1a660e6f1b3 100644
> --- a/security/yama/yama_lsm.c
> +++ b/security/yama/yama_lsm.c
> @@ -352,7 +352,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
>   	int rc = 0;
>   
>   	/* require ptrace target be a child of ptracer on attach */
> -	if (mode & PTRACE_MODE_ATTACH) {
> +	if (mode & (PTRACE_MODE_ATTACH | PTRACE_MODE_READ_FSCREDS)) {
>   		switch (ptrace_scope) {
>   		case YAMA_SCOPE_DISABLED:
>   			/* No additional restrictions. */
> @@ -380,7 +380,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
>   		}
>   	}
>   
> -	if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0)
> +	if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0 && (mode & PTRACE_MODE_ATTACH))
>   		report_access("attach", child, current);
>   
>   	return rc;
>
> ---
> base-commit: 5d8b97c946777118930e1cfb075cab59a139ca7c
> change-id: 20250718-yama_fix-ea5c2c4b2fbe
>
> Best regards,

More information about the Linux-security-module-archive mailing list