New issue
Advanced search Search tips

Issue 785440 link

Starred by 1 user
Status: Untriaged
Owner: ----
Cc:
mnissler@chromium.org
vapier@chromium.org
jorgelo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature



Sign in to add a comment

ptrace_scope: increase to 2

Project Member Reported by vapier@chromium.org, Nov 15 2017 
currently CrOS enables the YAMA LSM which means "ptrace_scope" defaults to "1".  from the docs:
https://www.kernel.org/doc/Documentation/security/Yama.txt

1 - restricted ptrace: a process must have a predefined relationship
    with the inferior it wants to call PTRACE_ATTACH on. By default,
    this relationship is that of only its descendants when the above
    classic criteria is also met. To change the relationship, an
    inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare
    an allowed debugger PID to call PTRACE_ATTACH on the inferior.
    Using PTRACE_TRACEME is unchanged.

2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace
    with PTRACE_ATTACH, or through children calling PTRACE_TRACEME.

3 - no attach: no processes may use ptrace with PTRACE_ATTACH nor via
    PTRACE_TRACEME. Once set, this sysctl value cannot be changed.

we should be able to increase this to 2 on CrOS systems.  lets investigate!
Project Member

Comment 1 by sheriffbot@chromium.org, Nov 16

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment