linux config: enable the Yama LSM (#14392)

The Yama Linux Security Module restricts the use of ptrace so that processes cannot ptrace processes that are not their children. This prevents attackers from compromising one user-level processes and snooping on the memory and runtime state of other processes owned by the same user.
2016-10-08 10:40:12 -04:00 · 2016-10-08 10:40:12 -04:00 · a000ed181c
commit a000ed181c
parent ce7739a4dd
1 changed files with 1 additions and 0 deletions
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@ -284,6 +284,7 @@ with stdenv.lib;
  RANDOMIZE_BASE? y
  STRICT_DEVMEM y # Filter access to /dev/mem
  SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
+  SECURITY_YAMA y # Prevent processes from ptracing non-children processes
  DEVKMEM n # Disable /dev/kmem
  ${if versionOlder version "3.14" then ''
    CC_STACKPROTECTOR? y # Detect buffer overflows on the stack