[PATCH] lsm: yama: Check for PTRACE_MODE_READ_FSCREDS access
Jann Horn
jannh at google.com
Fri Jul 18 14:52:51 UTC 2025
On Fri, Jul 18, 2025 at 10:47 AM <nicolas.bouchinet at oss.cyber.gouv.fr> wrote:
> From: Nicolas Bouchinet <nicolas.bouchinet at ssi.gouv.fr>
>
> Currently, yama only checks if the `PTRACE_MODE_ATTACH` mode is set
> during the `yama_ptrace_access_check()` LSM hook implementation.
>
> In cases of call with the `PTRACE_MODE_READ_FSCREDS` mode, nothing
> happens. Thus, yama does not interact properly with the
> "hidepid=ptraceable" option.
>
> hidepid's "ptraceable" option being documented as follow :
>
> - hidepid=ptraceable or hidepid=4 means that procfs should only contain
> `/proc/<pid>/` directories that the caller can ptrace.
>
> This patch simply add yama a `PTRACE_MODE_READ_FSCREDS` mode check to
> enable an interaction with "hidepid=ptraceable".
Please note that PTRACE_MODE_READ_FSCREDS is actually a combination of
two flags, and the intention is that the PTRACE_MODE_REALCREDS /
PTRACE_MODE_FSCREDS part of the flags should basically only be used to
determine where to read the caller's credentials from:
/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */
#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS)
#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS)
#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS)
#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH |
PTRACE_MODE_REALCREDS)
> Combined with hidepid=ptraceable, the following behaviors will then
> happen while reading in `/proc/<pid>`:
>
> - "restricted": A process that has a predefined relationship with the
> inferior will see the inferior process in `/proc`.
>
> - "admin-only": A process that has the CAP_SYS_PTRACE will be able to
> see every processes in `/proc`.
>
> - "no attach": A process will not see anything but itself in
> `/proc/<pid>/`.
>
> It is important to note that the combination of "hidepid=ptraceable" and
> yama "no attach" also makes PIDs invisible to root.
>
> No access reports are logged in case of denied access with
> `PTRACE_MODE_READ_FSCREDS` to avoid flooding kernel logs.
This seems like a major semantic change; I believe it essentially
means that commands like "ps" stop working entirely on systems that
enable hidepid. While that might be desirable in some scenarios, I
think changing the semantics like this without making it opt-in
through a new sysctl knob or such would be a bad idea.
More information about the Linux-security-module-archive
mailing list