spec: Provide default-yama-scope.

When yama is enabled in the kernel it might be used to filter any user
space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
to /proc/PID/{mem,personality,stack,syscall}, and the syscalls
process_vm_readv and process_vm_writev which are used for interprocess
services, communication and introspection (like synchronisation, signaling,
debugging, tracing and profiling) of processes.

These are precisely the things that libdw dwfl and ebl backends rely on.
So make sure they don't mysteriously fail in such cases by providing the
default yama scope sysctl value.

This is implemented as a separate subpackage that just provides this
functionality so other packages that don't directly rely on elfutils-libs
can also just Requires: default-yama-scope to function properly.
https://bugzilla.redhat.com/show_bug.cgi?id=1209492#c69

Signed-off-by: Mark Wielaard <mjw@redhat.com>

4 files changed, 69 insertions, 2 deletions

diff --git a/config/10-default-yama-scope.conf b/config/10-default-yama-scope.conf
new file mode 100644
index 00000000..ba78ebd5
--- /dev/null
+++ b/config/10-default-yama-scope.conf
@@ -0,0 +1,35 @@
+# When yama is enabled in the kernel it might be used to filter any user
+# space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
+# to /proc/PID/{mem,personality,stack,syscall}, and the syscalls
+# process_vm_readv and process_vm_writev which are used for interprocess
+# services, communication and introspection (like synchronisation, signaling,
+# debugging, tracing and profiling) of processes.
+#
+# Usage of ptrace attach is restricted by normal user permissions. Normal
+# unprivileged processes cannot interact through ptrace with processes
+# that they cannot send signals to or processes that are running set-uid
+# or set-gid.
+#
+# yama ptrace scope can be used to reduce these permissions even more.
+# This should normally not be done because it will break various programs
+# relying on the default ptrace security restrictions. But can be used
+# if you don't have any other way to separate processes in their own
+# domains. A different way to restrict ptrace is to set the selinux
+# deny_ptrace boolean. Both mechanisms will break some programs relying
+# on the ptrace system call and might force users to elevate their
+# priviliges to root to do their work.
+#
+# For more information see Documentation/security/Yama.txt in the kernel
+# sources. Which also describes the defaults when CONFIG_SECURITY_YAMA
+# is enabled in a kernel build (currently 1 for ptrace_scope).
+#
+# This runtime kernel parameter can be set to the following options:
+# (Note that setting this to anything except zero will break programs!)
+#
+# 0 - Default attach security permissions.
+# 1 - Restricted attach. Only child processes plus normal permissions.
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
+#
+kernel.yama.ptrace_scope = 0
+
diff --git a/config/ChangeLog b/config/ChangeLog
index 00f3ddc4..31eeca7a 100644
--- a/config/ChangeLog
+++ b/config/ChangeLog
@@ -1,3 +1,10 @@
+2015-08-04  Mark Wielaard  <mjw@redhat.com>
+
+	* 10-default-yama-scope.conf: New file.
+	* Makefile.am (EXTRA_DIST): Add 10-default-yama-scope.conf.
+	* elfutils.spec.in (Requires): default-yama-scope.
+	(default-yama-scope): New package.
+
 2015-06-19  Mark Wielaard  <mjw@redhat.com>
 
 	* elfutils.spec.in: Update for 0.163.
diff --git a/config/Makefile.am b/config/Makefile.am
index 6e61b778..23f7b655 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -1,7 +1,7 @@
 ## Process this file with automake to produce Makefile.in -*-Makefile-*-
 ## Configure input file for elfutils.
 ##
-## Copyright (C) 2004, 2005, 2008, 2009, 2011 Red Hat, Inc.
+## Copyright (C) 2004, 2005, 2008, 2009, 2011, 2015 Red Hat, Inc.
 ## This file is part of elfutils.
 ##
 ## This file is free software; you can redistribute it and/or modify
@@ -28,7 +28,7 @@
 ## the GNU Lesser General Public License along with this program.  If
 ## not, see <http://www.gnu.org/licenses/>.
 ##
-EXTRA_DIST = elfutils.spec.in known-dwarf.awk
+EXTRA_DIST = elfutils.spec.in known-dwarf.awk 10-default-yama-scope.conf
 
 if MAINTAINER_MODE
 $(srcdir)/elfutils.spec.in: $(top_srcdir)/NEWS
diff --git a/config/elfutils.spec.in b/config/elfutils.spec.in
index 5407f1ab..e5f6e29c 100644
--- a/config/elfutils.spec.in
+++ b/config/elfutils.spec.in
@@ -10,6 +10,7 @@ Obsoletes: libelf libelf-devel
 Requires: elfutils-libelf = %{version}-%{release}
 Requires: glibc >= 2.7
 Requires: libstdc++
+Requires: default-yama-scope
 
 # ExcludeArch: xxx
 
@@ -97,6 +98,22 @@ Conflicts: libelf-devel
 The elfutils-libelf-static package contains the static archive
 for libelf.
 
+%package default-yama-scope
+Summary: Default yama attach scope sysctl setting
+Group: Development/Tools
+License: GPLv2+ or LGPLv3+
+Provides: default-yama-scope
+BuildArch: noarch
+
+%description default-yama-scope
+Yama sysctl setting to enable default attach scope settings
+enabling programs to use ptrace attach, access to
+/proc/PID/{mem,personality,stack,syscall}, and the syscalls
+process_vm_readv and process_vm_writev which are used for
+interprocess services, communication and introspection
+(like synchronisation, signaling, debugging, tracing and
+profiling) of processes.
+
 %prep
 %setup -q
 
@@ -121,6 +138,8 @@ chmod +x ${RPM_BUILD_ROOT}%{_prefix}/%{_lib}/elfutils/lib*.so*
   rm -f .%{_libdir}/libasm.a
 }
 
+install -Dm0644 config/10-default-yama-scope.conf ${RPM_BUILD_ROOT}%{_sysctldir}/10-default-yama-scope.conf
+
 %check
 make check
 
@@ -135,6 +154,9 @@ rm -rf ${RPM_BUILD_ROOT}
 
 %postun libelf -p /sbin/ldconfig
 
+%post default-yama-scope
+%sysctl_apply 10-default-yama-scope.conf
+
 %files
 %defattr(-,root,root)
 %doc COPYING COPYING-GPLV2 COPYING-LGPLV3 README TODO CONTRIBUTING
@@ -197,6 +219,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %files libelf-devel-static
 %{_libdir}/libelf.a
 
+%files default-yama-scope
+%config(noreplace) %{_sysctldir}/10-default-yama-scope.conf
+
 %changelog
 * Fri Jun 19 2015 Mark Wielaard <mjw@redhat.com> 0.163-1
 - Bug fixes only, no new features.