From 61e0d33b8accc50e031390d3b04aa4a7305f62e2 Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Tue, 4 Aug 2015 14:27:51 +0200 Subject: [PATCH] 0.163-3 - Add elfutils-0.163-default-yama-conf.patch Provides: default-yama-scope Resolves: #1250079 --- elfutils-0.163-default-yama-conf.patch | 166 +++++++++++++++++++++++++ elfutils.spec | 49 +++++++- 2 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 elfutils-0.163-default-yama-conf.patch diff --git a/elfutils-0.163-default-yama-conf.patch b/elfutils-0.163-default-yama-conf.patch new file mode 100644 index 0000000..4f2ab29 --- /dev/null +++ b/elfutils-0.163-default-yama-conf.patch @@ -0,0 +1,166 @@ +commit 65a818baa4bcae96c1e9516420fcd87a2db3c863 +Author: Mark Wielaard +Date: Tue Aug 4 12:20:20 2015 +0200 + + spec: Provide default-yama-scope. + + When yama is enabled in the kernel it might be used to filter any user + space access which requires PTRACE_MODE_ATTACH like ptrace attach, access + to /proc/PID/{mem,personality,stack,syscall}, and the syscalls + process_vm_readv and process_vm_writev which are used for interprocess + services, communication and introspection (like synchronisation, signaling, + debugging, tracing and profiling) of processes. + + These are precisely the things that libdw dwfl and ebl backends rely on. + So make sure they don't mysteriously fail in such cases by providing the + default yama scope sysctl value. + + This is implemented as a separate subpackage that just provides this + functionality so other packages that don't directly rely on elfutils-libs + can also just Require: default-yama-scope to function properly. + https://bugzilla.redhat.com/show_bug.cgi?id=1209492#c69 + + Signed-off-by: Mark Wielaard + +diff --git a/config/10-default-yama-scope.conf b/config/10-default-yama-scope.conf +new file mode 100644 +index 0000000..ba78ebd +--- /dev/null ++++ b/config/10-default-yama-scope.conf +@@ -0,0 +1,35 @@ ++# When yama is enabled in the kernel it might be used to filter any user ++# space access which requires PTRACE_MODE_ATTACH like ptrace attach, access ++# to /proc/PID/{mem,personality,stack,syscall}, and the syscalls ++# process_vm_readv and process_vm_writev which are used for interprocess ++# services, communication and introspection (like synchronisation, signaling, ++# debugging, tracing and profiling) of processes. ++# ++# Usage of ptrace attach is restricted by normal user permissions. Normal ++# unprivileged processes cannot interact through ptrace with processes ++# that they cannot send signals to or processes that are running set-uid ++# or set-gid. ++# ++# yama ptrace scope can be used to reduce these permissions even more. ++# This should normally not be done because it will break various programs ++# relying on the default ptrace security restrictions. But can be used ++# if you don't have any other way to separate processes in their own ++# domains. A different way to restrict ptrace is to set the selinux ++# deny_ptrace boolean. Both mechanisms will break some programs relying ++# on the ptrace system call and might force users to elevate their ++# priviliges to root to do their work. ++# ++# For more information see Documentation/security/Yama.txt in the kernel ++# sources. Which also describes the defaults when CONFIG_SECURITY_YAMA ++# is enabled in a kernel build (currently 1 for ptrace_scope). ++# ++# This runtime kernel parameter can be set to the following options: ++# (Note that setting this to anything except zero will break programs!) ++# ++# 0 - Default attach security permissions. ++# 1 - Restricted attach. Only child processes plus normal permissions. ++# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. ++# 3 - No attach. No process may call ptrace at all. Irrevocable. ++# ++kernel.yama.ptrace_scope = 0 ++ +diff --git a/config/ChangeLog b/config/ChangeLog +index 00f3ddc..31eeca7 100644 +--- a/config/ChangeLog ++++ b/config/ChangeLog +@@ -1,3 +1,10 @@ ++2015-08-04 Mark Wielaard ++ ++ * 10-default-yama-scope.conf: New file. ++ * Makefile.am (EXTRA_DIST): Add 10-default-yama-scope.conf. ++ * elfutils.spec.in (Requires): default-yama-scope. ++ (default-yama-scope): New package. ++ + 2015-06-19 Mark Wielaard + + * elfutils.spec.in: Update for 0.163. +diff --git a/config/Makefile.am b/config/Makefile.am +index 6e61b77..23f7b65 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -1,7 +1,7 @@ + ## Process this file with automake to produce Makefile.in -*-Makefile-*- + ## Configure input file for elfutils. + ## +-## Copyright (C) 2004, 2005, 2008, 2009, 2011 Red Hat, Inc. ++## Copyright (C) 2004, 2005, 2008, 2009, 2011, 2015 Red Hat, Inc. + ## This file is part of elfutils. + ## + ## This file is free software; you can redistribute it and/or modify +@@ -28,7 +28,7 @@ + ## the GNU Lesser General Public License along with this program. If + ## not, see . + ## +-EXTRA_DIST = elfutils.spec.in known-dwarf.awk ++EXTRA_DIST = elfutils.spec.in known-dwarf.awk 10-default-yama-scope.conf + + if MAINTAINER_MODE + $(srcdir)/elfutils.spec.in: $(top_srcdir)/NEWS +diff --git a/config/elfutils.spec.in b/config/elfutils.spec.in +index 5407f1a..e5f6e29 100644 +--- a/config/elfutils.spec.in ++++ b/config/elfutils.spec.in +@@ -10,6 +10,7 @@ Obsoletes: libelf libelf-devel + Requires: elfutils-libelf = %{version}-%{release} + Requires: glibc >= 2.7 + Requires: libstdc++ ++Requires: default-yama-scope + + # ExcludeArch: xxx + +@@ -97,6 +98,22 @@ Conflicts: libelf-devel + The elfutils-libelf-static package contains the static archive + for libelf. + ++%package default-yama-scope ++Summary: Default yama attach scope sysctl setting ++Group: Development/Tools ++License: GPLv2+ or LGPLv3+ ++Provides: default-yama-scope ++BuildArch: noarch ++ ++%description default-yama-scope ++Yama sysctl setting to enable default attach scope settings ++enabling programs to use ptrace attach, access to ++/proc/PID/{mem,personality,stack,syscall}, and the syscalls ++process_vm_readv and process_vm_writev which are used for ++interprocess services, communication and introspection ++(like synchronisation, signaling, debugging, tracing and ++profiling) of processes. ++ + %prep + %setup -q + +@@ -121,6 +138,8 @@ chmod +x ${RPM_BUILD_ROOT}%{_prefix}/%{_lib}/elfutils/lib*.so* + rm -f .%{_libdir}/libasm.a + } + ++install -Dm0644 config/10-default-yama-scope.conf ${RPM_BUILD_ROOT}%{_sysctldir}/10-default-yama-scope.conf ++ + %check + make check + +@@ -135,6 +154,9 @@ rm -rf ${RPM_BUILD_ROOT} + + %postun libelf -p /sbin/ldconfig + ++%post default-yama-scope ++%sysctl_apply 10-default-yama-scope.conf ++ + %files + %defattr(-,root,root) + %doc COPYING COPYING-GPLV2 COPYING-LGPLV3 README TODO CONTRIBUTING +@@ -197,6 +219,9 @@ rm -rf ${RPM_BUILD_ROOT} + %files libelf-devel-static + %{_libdir}/libelf.a + ++%files default-yama-scope ++%config(noreplace) %{_sysctldir}/10-default-yama-scope.conf ++ + %changelog + * Fri Jun 19 2015 Mark Wielaard 0.163-1 + - Bug fixes only, no new features. diff --git a/elfutils.spec b/elfutils.spec index e27e1a7..77b7a04 100644 --- a/elfutils.spec +++ b/elfutils.spec @@ -1,7 +1,7 @@ Name: elfutils Summary: A collection of utilities and DSOs to handle compiled objects Version: 0.163 -%global baserelease 2 +%global baserelease 3 URL: https://fedorahosted.org/elfutils/ %global source_url http://fedorahosted.org/releases/e/l/elfutils/%{version}/ License: GPLv3+ and (GPLv2+ or LGPLv3+) @@ -18,6 +18,7 @@ Group: Development/Tools %global separate_devel_static 1 %global use_zlib 0 %global use_xz 0 +%global provide_yama_scope 0 %if 0%{?rhel} %global portability (%rhel < 6) @@ -32,6 +33,7 @@ Group: Development/Tools %global separate_devel_static (%fedora >= 7) %global use_zlib (%fedora >= 5) %global use_xz (%fedora >= 10) +%global provide_yama_scope (%fedora >= 22) %endif %if %{compat} || %{!?rhel:6}%{?rhel} < 6 @@ -48,6 +50,8 @@ Patch1: %{?source_url}elfutils-portability-%{version}.patch Patch2: elfutils-0.163-unstrip-shf_info_link.patch +Patch3: elfutils-0.163-default-yama-conf.patch + %if !%{compat} Release: %{baserelease}%{?dist} %else @@ -99,6 +103,9 @@ License: GPLv2+ or LGPLv3+ Provides: elfutils-libs%{depsuffix} = %{version}-%{release} %endif Requires: elfutils-libelf%{depsuffix} = %{version}-%{release} +%if %{provide_yama_scope} +Requires: default-yama-scope +%endif %description libs The elfutils-libs package contains libraries which implement DWARF, ELF, @@ -187,6 +194,26 @@ Requires: elfutils-libelf-devel%{depsuffix} = %{version}-%{release} The elfutils-libelf-static package contains the static archive for libelf. +%if %{provide_yama_scope} +%package default-yama-scope +Summary: Default yama attach scope sysctl setting +Group: Development/Tools +License: GPLv2+ or LGPLv3+ +Provides: default-yama-scope +BuildArch: noarch +# For the sysctl_apply macro +BuildRequires: systemd >= 215 + +%description default-yama-scope +Yama sysctl setting to enable default attach scope settings +enabling programs to use ptrace attach, access to +/proc/PID/{mem,personality,stack,syscall}, and the syscalls +process_vm_readv and process_vm_writev which are used for +interprocess services, communication and introspection +(like synchronisation, signaling, debugging, tracing and +profiling) of processes. +%endif + %prep %setup -q @@ -208,6 +235,7 @@ sed -i.scanf-m -e 's/%m/%a/g' src/addr2line.c tests/line2addr.c %endif %patch2 -p1 -b .shf_info_link +%patch3 -p1 -b .yama_scope find . -name \*.sh ! -perm -0100 -print | xargs chmod +x @@ -250,6 +278,10 @@ chmod +x ${RPM_BUILD_ROOT}%{_prefix}/%{_lib}/elfutils/lib*.so* %find_lang %{name} +%if %{provide_yama_scope} +install -Dm0644 config/10-default-yama-scope.conf ${RPM_BUILD_ROOT}%{_sysctldir}/10-default-yama-scope.conf +%endif + %check make -s %{?_smp_mflags} check || (cat tests/test-suite.log; %{nocheck}) @@ -264,6 +296,11 @@ rm -rf ${RPM_BUILD_ROOT} %postun libelf -p /sbin/ldconfig +%if %{provide_yama_scope} +%post default-yama-scope +%sysctl_apply 10-default-yama-scope.conf +%endif + %files %defattr(-,root,root) %{!?_licensedir:%global license %%doc} @@ -336,7 +373,17 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(-,root,root) %{_libdir}/libelf.a +%if %{provide_yama_scope} +%files default-yama-scope +%defattr(-,root,root) +%config(noreplace) %{_sysctldir}/10-default-yama-scope.conf +%endif + %changelog +* Tue Aug 04 2015 Mark Wielaard - 0.163-3 +- Add elfutils-0.163-default-yama-conf.patch (#1250079) + Provides: default-yama-scope + * Mon Aug 03 2015 Mark Wielaard - 0.163-2 - Add elfutils-0.163-unstrip-shf_info_link.patch