Chrome Sandbox - Yama LSM enforcing

Discussion in 'sandboxing & virtualization' started by wat0114, May 20, 2014.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Just today I noticed when checking Chrome's sandbox status in Linux the new entry: Yama LSM enforcing. There is some info on it but it's pretty technical. Does anyone know what this does?
     

    Attached Files:

  2. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Taken from Chromium blog:

    "The Yama¹ Linux Security Module, introduced back in Linux 3.4, collects a number of system-wide discretionary access control security protections (such as ptrace restrictions) that are not handled by the core kernel itself:

    One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application
    (e.g. Pidgin) was compromised, it would be possible for an attacker to attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, etc) to extract additional credentials and continue to expand the scope of their attack without resorting to user-assisted phishing.

    The good news is that the last chromium build shows you whether Yama LSM is enforced or not in the internal chrome://sandbox page."
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Thanks kjdemuth. I guess it must provide some sort of hardening in this area. I guess if it bolster's the effectiveness of the Chrome sandbox in Linux, then that's good.
     
  4. tlu

    tlu Guest

    Yes, I had noticed that, too. A rather detailed explanation is this one. For laymen like you and me this short explantion might be sufficient:

    ... or this one:

     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Nice find tlu, thanks!

    I ran an Apparmor logprof yesterday and it found this which I added to my chrome-sandbox profile:

    Code:
    /proc/sys/kernel/yama/ptrace_scope r,
     
Loading...
Thread Status:
Not open for further replies.