Chrome Sandbox - Yama LSM enforcing

Just today I noticed when checking Chrome's sandbox status in Linux the new entry: Yama LSM enforcing. There is some info on it but it's pretty technical. Does anyone know what this does?

 

Taken from Chromium blog:

"The Yama¹ Linux Security Module, introduced back in Linux 3.4, collects a number of system-wide discretionary access control security protections (such as ptrace restrictions) that are not handled by the core kernel itself:

One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application
(e.g. Pidgin) was compromised, it would be possible for an attacker to attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, etc) to extract additional credentials and continue to expand the scope of their attack without resorting to user-assisted phishing.

The good news is that the last chromium build shows you whether Yama LSM is enforced or not in the internal chrome://sandbox page."

 

Thanks kjdemuth. I guess it must provide some sort of hardening in this area. I guess if it bolster's the effectiveness of the Chrome sandbox in Linux, then that's good.

 

Yes, I had noticed that, too. A rather detailed explanation is this one. For laymen like you and me this short explantion might be sufficient:

... or this one:

 

Nice find tlu, thanks!

I ran an Apparmor logprof yesterday and it found this which I added to my chrome-sandbox profile:

Code:

/proc/sys/kernel/yama/ptrace_scope r,