View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001351 | channel: kernel/el7 | --kernel--request-for-enhancement-- | public | 2023-05-15 11:05 | 2023-05-31 14:52 |
| Reporter | aviallon | Assigned To | burakkucat | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Platform | Intel Xeon W-2133 | OS | CentOS Linux | OS Version | 7.9.2009 |
| Summary | 0001351: Kernel missing CONFIG_SECURITY_YAMA=y | ||||
| Description | Yama is used by Chrome, Electron and several other apps to improve sandboxing. It is also part of the default CONFIG_LSM of the kernel: CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" | ||||
| Steps To Reproduce | # sysctl kernel.yama.ptrace_scope sysctl: cannot stat /proc/sys/kernel/yama/ptrace_scope: o such file or directory | ||||
| Tags | kernel, kernel-ml | ||||
|
|
Looking at the master configuration files the following is seen -- [Build64R7 kernels]$ grep -r 'CONFIG_LSM' * | grep -Ev 'config-6\.1|MMAP' | grep 'el7' | sort el7/config-5.4/config-5.4.233-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.234-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.235-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.236-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.237-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.238-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.239-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.240-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.241-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-5.4/config-5.4.242-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-6.3/config-6.3.0-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-6.3/config-6.3.1-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-6.3/config-6.3.2-x86_64:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-6.4/config-6.4.0-x86_64-rc1:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" el7/config-6.4/config-6.4.0-x86_64-rc2:CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" [Build64R7 kernels]$ I suspect you are not looking at an ELRepo Project kernel but one that has been provided by some other entity (and mischievously named kernel-ml). Hence I am closing this request as "no change required". |
|
|
Hello @burakkucat, I believe you have misunderstood my report. CONFIG_LSM is good, and defines the LSM loading and order. But **YAMA** is not being built. YAMA is controlled by option : CONFIG_SECURITY_YAMA |
|
|
Understood. I have now queued the addition of the CONFIG_SECURITY_YAMA=y option to both of the configuration files for the next builds of the kernel-lt and the kernel-ml package sets. (That will be the kernel-lt-5.4.244-1.el7.elrepo and the kernel-ml-6.3.4-1.el7.elrepo package sets, respectively.) |
|
|
The recently released kernel-ml-6.3.4-1.el7.elrepo package set [1] has the CONFIG_SECURITY_YAMA=y option enabled. Now just waiting for the release of updated sources for the kernel-lt-5.4.244-1.el7.elrepo package set. [1] https://lists.elrepo.org/pipermail/elrepo/2023-May/006488.html |
|
|
The recently released kernel-lt-5.4.244-1.el7.elrepo package set has the CONFIG_SECURITY_YAMA=y option enabled. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-05-15 11:05 | aviallon | New Issue | |
| 2023-05-15 11:05 | aviallon | Tag Attached: kernel | |
| 2023-05-15 11:05 | aviallon | Tag Attached: kernel-ml | |
| 2023-05-15 13:47 | toracat | Assigned To | => burakkucat |
| 2023-05-15 13:47 | toracat | Status | new => assigned |
| 2023-05-15 13:47 | toracat | Project | channel: elrepo/el7 => channel: kernel/el7 |
| 2023-05-15 14:54 | burakkucat | Status | assigned => closed |
| 2023-05-15 14:54 | burakkucat | Resolution | open => no change required |
| 2023-05-15 14:54 | burakkucat | Note Added: 0009191 | |
| 2023-05-16 05:11 | aviallon | Status | closed => assigned |
| 2023-05-16 05:11 | aviallon | Resolution | no change required => reopened |
| 2023-05-16 05:11 | aviallon | Note Added: 0009192 | |
| 2023-05-16 13:38 | burakkucat | Status | assigned => acknowledged |
| 2023-05-16 13:38 | burakkucat | Note Added: 0009193 | |
| 2023-05-24 17:32 | burakkucat | Note Added: 0009211 | |
| 2023-05-30 17:12 | toracat | Note Edited: 0009211 | |
| 2023-05-31 14:51 | toracat | Note Added: 0009214 | |
| 2023-05-31 14:52 | toracat | Status | acknowledged => resolved |
| 2023-05-31 14:52 | toracat | Resolution | reopened => fixed |
