F44 Change Proposal: Mitigate vulnerabilities/attacks by enabling kernel.kptr_restrict and net.core.bpf_jit_harden by default, and by obsoleting a package that risks to accidentally disable kernel.yama.ptrace_scope by default [SystemWide]

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki

Announced

Summary

This proposal aims to improve the security of Fedora and increase its resilience against attacks, including mitigating vulnerabilities and attacks that could be enabled by user behavior: targeting average users as of today, it is also our responsibility to implement measures to preemptively protect users and predict that users, e.g., enable third party repos from unknown parties or manually install packages or drivers that no longer get updates or are not implemented by best practices, or run scripts that are not trustworthy: the protection we can offer here is limited, but the kernel ships with several means that are intended to offer mitigation. To avoid misunderstandings: these means are not just to mitigate user-caused vulnerabilities/attacks but also to add additional security layers that can make a difference if others fail (e.g., vulnerabilities in our packages).

Enable kernel.yama.ptrace_scope, kernel.kptr_restrict and net.core.bpf_jit_harden by default in the kernel to increase the security of Fedora and mitigate some vulnerabilities and attacks. kernel.yama.ptrace_scope is already enabled by default upstream, but on Fedora it is currently disabled by default because of a package that accidentally became a dependency for default installations.

Enable ptrace_scope at value 1 (kernel default 1; or consider 2 if FESCo concludes this cannot cause issues), kernel.kptr_restrict at value 1 (or consider 2 if FESCo concludes this cannot cause issues) and bpf_jit_harden at 1 (or 2 if FESCo concludes this cannot cause issues). However, with regards to bpf_jit_harden, risks at 2 might be less predictable, and FESCo might be more careful before using 2: if someone comes up with reproducible reasons why to not set 2 as default or if FESCo cannot exclude noteworthy amounts of bpf_jit activities through privileged users in some use cases (2 = bpf_jit_harden is imposed both on privileged and unprivileged while 1 is imposed only on unprivileged), then 1 might be better for bpf_jit_harden: bpf_jit_harden only risks a performance decrease (respectively power-consumption increase) and only as far as it is used, but use cases of any of our targeted audiences involving privileged bpf_jit activities could be harder to determine/predict (respectively more realistic to occur) than use cases with unprivileged bpf_jit activities.

Theoretically, kernel.yama.ptrace_scope is already at 1, but the package elfutils-default-yama-scope overwrites this because it accidentally became a default package: therefore, add this package to fedora-obsolete-packages to ensure it is removed from all installations on their next update and then remove this package as dependency and remove it from the repository at all because the risk of accidentally re-reinstall it by default on Fedora installations remains, as we experience it at the moment. Further, it is common in the Fedora community, and propagated among users and supporters, to assume that installed tools/applications “do not hurt/impact” except using some space. This packages breaks with this common assumption and thus introduces further risks: ptrace_scope has the capacity to prevent malicious processes (e.g., vulnerable software or self-installed malicious software) to take control of other processes or their data.

Many Linux distributions keep ptrace_scope already by default (e.g., Ubuntu, Arch Linux, openSuSE), as it is set by the upstream kernel, and their users seem to be satisfied to keep this default (value 1, but also consider 2 for Fedora).

With regards to bpf_jit_harden, the Kernel Docs mention that formally, the settings 1 and 2 rather than 0 are performance trade-offs, but I could not identify a performance impact on my installation with 2 (Arch Linux already sets 2 by default in its hardened kernel) with average activities (surfing on the Internet/Firefox, watching movies in browser and vlc, editing/writing documents/code with git/kate/kwrite/nano/mcedit, emails, copying large amounts of files, working on battery, Internet on wifi & usb-ethernet), although as mentioned above, use cases that are impacted by 2 might be more realistic than 1 (FESCo might be able to evaluate this more reliably). Also, although Fedora and RHEL differ in many respects, it might be indicative that for security-sensitive RHEL installations, 2 is already suggested for “bpf_jit_harden”, tested, and partly required, by DISA (see Discussion topic mentioned below, post #12, which suggests that practical cases as far as known have not identified performance/power-consumption issues).

Further, set kernel.kptr_restrict to either 1 (2 if FESCo concludes that this cannot cause negative impacts). Given its circumstances, I could not identify a negative impact that could affect one of our targeted audiences, although 2 might need a wider review by FESCo. This means can avoid the use of kernel exploits in some circumstances, and although in our case it could be possible that attackers might be able to mitigate kptr_restrict, the level of experience will change: in some circumstances, using a kernel exploit can be as easy as a google search with copy/paste, and be taught early in average (online) pentesting courses. Yet, the means that become necessary in cases that are related to kptr_restrict, deep expert knowledge might become necessary to use an exploit, if possible at all.

Details about the settings and what they can mitigate are elaborated in the Kernel Docs and in the Arch Wiki (whose arguments in this respect can be transferred to Fedora): See documentation section below.

Owner

• Name: py0xc3

• Email: py0xc3@fedoraproject.org

Detailed Description

The (security) advantages are best described in the links of the summary above (Arch Wiki & Kernel Docs links): the information is concise and comprehensible. For people without experience in this field, the advantages can be summed up as following: it increases the security by mitigating attacks/vulnerabilities → especially if people modify their system with untrusted/unqualified suggestions found on the Internet, and install untrusted third party code (e.g., such code might not implement best practices nor satisfy QA, or not get updated for long when installed manually, or at the worst, being intentionally malicious), these means might mitigate negative impacts this could have as far as attacks are related to bpf_jit, kernel symbol addresses and ptrace. The means also add a security layer if packages of ours have vulnerabilities, and can thus mitigate exploitation in the time before we update.

I could not identify negative performance/power-consumption impacts in average activities (I - proposal owner - am testing all three means permanently in the setting 2 on my “production laptop” Fedora since 04.08.2025) nor could I identify related experiences from others (formally, performance/power-consumption issues are possible at bpf_jit_harden): as far as tested, the performance seems to remain unchanged and I see limited space for unexpected issues, although it might be useful to review feedback of other users on the Change Proposal to identify if there are circumstances in which this is different, especially on bpf_jit_harden with 2 (everyone is encouraged to test the settings on their system & use cases and give feedback while the Change Proposal is open). As mentioned above, for RHEL, the performance-related setting bpf_jit_harden is already suggested or required at 2 for some security-critical installations without known issues.

Yet, it can be decided by FESCo to start with 1 if use cases of targeted audiences are anticipated that might be impacted negatively by 2 in any of the three settings. This proposal thus suggests to shift the decision of 1 or 2 in all three cases to FESCo: 2 if possible, 1 if potential for negatively-impacting cases can be identified. Starting with 1, then verifying data, and then go to 2 in a second proposal 1 or 2 releases after the next might be an alternative too.

With regards to ptrace_scope, it seems that developers engaging in debugging on lower abstraction layers might experience ptrace_scope to hinder their capability to attach tools like gdb or strace to running processes, but by default Fedora should not be set to a “debugging mode” (as we also do not boot our kernel by default in debugging mode, for good reasons), and it can be expected that people who engage in such activities will be able to identify how to temporarily or permanently disable these settings or to identify the relevant documentation if it exists: documentation is the answer, which affected users in the past had already asked for in (and searched for before opening) the bugtickets¹ when 1 was introduced to ptrace_scope as default in the first place. However, rather than providing documentation, the introduction of the package elfutils-default-yama-scope took place and it became originally a dependency of tools like gdb, and its only purpose is to only disable the (theoretically defaulted) ptrace_scope. However, this is a problematic practice, it breaks with the average assumption many people work with and that they propagate (installed tools/applications do not hurt/impact except using some space), it might impose disabling security means on several users permanently without their knowledge (including those just testing gdb or comparable packages without removing them subsequently), and it leads to risks like the current issue: the package accidentally becomes defaulted on all Fedora installations.

Most users are unlikely to be aware of the security advantage of these functions and would not know that this could increase their security and mitigate some realistic attacks: the secure way should be by default, and people needing debuggers should be able to have proper documentation (Fedora documentation and Discourse are well ranked if users search for error messages with regards to Fedora) to adjust their system themselves, and also decide on themselves if they want these changes to be temporarily when they need them, or permanently.

Therefore, proper documentation should be provided, and I can volunteer to provide Docs pages (preferably one page in our Quick Docs’ troubleshooting and a short sentence with a link to the first mentioned page in the SELinux troubleshooting section because many people expected this to be a SELinux issue; I will have to discuss this with the Docs team) and a Discourse topic that affected people might find when experiencing the issue IF affected developer(s)/users provide me with the names of the affected tools and the very error messages these tools output (and maybe also the behaviors that might be relevant for documentation), which I need to create easy-to-find and expressive/useful Docs pages (also to be ranked high in search queries with error messages).

kptr_restrict is sufficiently covered in the summary and the Documentation below, along with further information of the other kernel settings mentioned in this proposal.

¹ related bug tickets of 2015:

https://bugzilla.redhat.com/show_bug.cgi?id=1196825

https://bugzilla.redhat.com/show_bug.cgi?id=1209492

https://bugzilla.redhat.com/show_bug.cgi?id=1234951

https://bugzilla.redhat.com/show_bug.cgi?id=1250079

Feedback

This Change Proposal started in the following discussion, which contains further considerations and feedback about it: https://discussion.fedoraproject.org/t/increase-security-by-adjusting-kernel-settings-by-default-kernel-yama-ptrace-scope-net-core-bpf-jit-harden-both-defaulting-to-1/161498/

Benefit to Fedora

Increased security / additional security layer with regards to attacks/vulnerabilities related to ptrace, kptr_restrict and bpf_jit. These might mitigate some risks that inexperienced or incautious users may accidentally introduce to their systems themselves (to some extent “social vulnerabilities/causes”), and also mitigate vulnerabilities in our own packages.

Scope

• Proposal owners:

The three kernel settings have to be changed, and the package elfutils-default-yama-scope has to be added to fedora-obsolete-packages and subsequently removed from dependencies and the repositories at all in order to enable ptrace_scope again in a reliable manner. I can create the Merge Requests for creating+installing the kernel settings through systemd and to add the mentioned package to the obsoleted ones, but I might need support to finally remove the package from our repositories with its dependencies as I expect I will not have privileges to achieve that: in finally removing the package from being available in Fedora installations, necessary support is likely to go beyond just accepting my MR in a git repository.

Concerning changing the kernel settings: I will add a file 20-kptr_restrict.conf and 20-core-bpf_jit_harden to Tree - rpms/systemd - src.fedoraproject.org , add the files with Source entries to systemd.spec and then enable the Source entries to be installed by default. Additionally, if FESCo agrees to also set ptrace_scope to 2 rather than the upstream kernel default, I will replace the content of the file 20-yama-ptrace.conf to set 2 rather than 0 (and remove its current comments) and add its Source entry to be installed by default, but in this case, I would also create the file 30-yama-ptrace.conf for 0 with the content of the current 20-yama-ptrace.conf, and I would also add a reference to 20-yama-ptrace.conf about 30-yama-ptrace.conf, so that developers who need to debug retain their means for quickly disabling ptrace_scope and to have a way of disabling ptrace_scope that can be added to potential documentations. 30-yama-ptrace.conf would not be installed by default. If I am provided with the means to create the documentation (see above), then I would use 30-yama-ptrace.conf for elaborating how to disable ptrace_scope permanently by default.

• Other developers:

There are no other developers: although system-wide, this proposal is in the end just changing three settings that should not cause further work once implemented. After that, it is work as usual: everybody who has an issue opens a bugzilla ticket once applicable, and related maintainers get informed / take over, and I will be happy to get involved if something seems to be related to my proposal. If in the aftermath problems rise with this proposal’s changes, and if FESCo considers thus to undo it (or to change any 2 to a 1), then if necessary I can do the revert if FESCo wants me to do it, although I consider undoing it unlikely to become necessary. If the need to further improve documentation comes up (add tools and error messages to documentation not considered earlier along with the solution to solve the issue), I am happy to do so, and maintainers/users/developers of bugtickets are free to reach out to let me know about the need - although as mentioned above: I need the data/information provided that is necessary to prepare/provide the documentation.

• Release engineering: #Releng issue number

Informing RelEng could be useful, but I expect there is no need for them to act (except their involvement is necessary to remove the package).

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with the Fedora Strategy:

Provide an operating system for average users that is as secure by default as possible, not requiring users to setup their security means themselves and providing as far as possible preventive measures to mitigate negative impacts (up to preventing/mitigating user-caused vulnerabilities/issues when possible), but also to ensure additional security layers in case, e.g., vulnerabilities come up in packages of ours (the more time it takes to identify and solve a vulnerability once it occurred, the more useful are additional security layers that can mitigate attacks/exploitation in some circumstances).

Because we want to provide an operating system for average users / for everybody, we also have to consider and mitigate issues that are made by inexperienced or incautious users as far as this is possible without noteworthy negative impact. Surely everything remains a compromise.

Upgrade/compatibility impact

The settings should be updated also when earlier Fedora releases are upgraded to the release of this proposal. So it should not only be the default for new installations, but also for upgraded installations. However, it might be more stable/secure to introduce it only to installations that are upgraded to the next release (or installed with the next release), but not introduced through normal “daily” updates within earlier releases.

Early Testing (Optional)

See the How To Test section.

Do you require ‘QA Blueprint’ support? N

How To Test

Enable all three settings and work with it, and feel free to exchange results. An easy means to keep testing it permanently is to append three lines to the file /etc/sysctl.conf, in order to ensure the settings are set automatically on boot:

Values for lowest proposed changes:

net.core.bpf_jit_harden = 1
kernel.yama.ptrace_scope = 1
kernel.kptr_restrict = 1

Values for highest proposed changes:

net.core.bpf_jit_harden = 2
kernel.yama.ptrace_scope = 2
kernel.kptr_restrict = 2

You may want to test it temporarily at first, which means that it shall not persist when you shutdown/reboot your machine: you can achieve that with the sysctl command, e.g., these three commands are to set all three to “2”:

sysctl net.core.bpf_jit_harden=2

sysctl kernel.yama.ptrace_scope=2

sysctl kernel.kptr_restrict=2

The same commands can be used to set back your defaults without rebooting.

You can verify the current settings with the following commands (including your system’s defaults when you use these commands before using any of the above):

cat /proc/sys/kernel/yama/ptrace_scope

cat /proc/sys/kernel/kptr_restrict

sudo cat /proc/sys/net/core/bpf_jit_harden

(bpf_jit_harden needs sudo permissions)

Please do not test ptrace_scope with the setting 3 unless you read about its implications, as the implications differ to 1 and 2. I expect 3 is not relevant for Fedora.

User Experience

Except for people who aim to debug running applications by attaching tools like gdb or strace, there should be no measurable/perceived impact, although my earlier elaborations should be considered.

This change should decrease the likelihood that people experience attacks / exploitations of vulnerabilities related to ptrace and bpf_jit or kernel symbolic addresses (the latter is related to kernel exploits)

Dependencies

None, although the package is a dependency of some other packages, but it can just be removed from their dependencies as it does nothing but disabling ptrace_scope.

Contingency Plan

• Contingency mechanism: Should not apply because this is just enabling three kernel settings. If any issue comes up that endangers the release, the maintainers/FESCo/RelEng can revert the three settings to the earlier defaults (0). The same for the package.

• Contingency deadline: to be set by FESCo/RelEng

• Blocks release? No: if issues come up with any of the three settings, they should be reverted to the earlier default rather than blocking a release.

Documentation

kernel.yama.ptrace_scope:

https://wiki.archlinux.org/title/Security#ptrace_scope

https://docs.kernel.org/admin-guide/LSM/Yama.html

net.core.bpf_jit_harden:

https://wiki.archlinux.org/title/Security#BPF_hardening

https://docs.kernel.org/admin-guide/sysctl/net.html

https://docs.cilium.io/en/latest/reference-guides/bpf/architecture/#hardening

kernel.kptr_restrict:

https://wiki.archlinux.org/title/Security#Restricting_access_to_kernel_pointers_in_the_proc_filesystem

https://docs.kernel.org/admin-guide/sysctl/kernel.html#kptr-restrict

Related to all three:

https://discussion.fedoraproject.org/t/increase-security-by-adjusting-kernel-settings-by-default-kernel-yama-ptrace-scope-net-core-bpf-jit-harden-both-defaulting-to-1/161498/

Release Notes

This change essentially achieves the adjustment of three kernel settings:

• Kernel setting net.core.bpf_jit_harden changed from 0 to 2 (see upstream Docs of the setting),

• kernel setting kernel.yama.ptrace_scope changed to from 0 (formally it was 1 but a package changed it to 0 by default on each boot in earlier releases) to 2 (see upstream Docs of the setting) and

• kernel setting kernel.kptr_restrict changed from 0 to 2 (see upstream Docs of the setting).

This aims to increase security and mitigate vulnerabilities/attacks related to ptrace, kernel symbol addresses (potential for kernel exploits) and bpf_jit. For details, review the Change Proposal and its mentioned sources (especially the related Kernel Docs).

Further, the package elfutils-default-yama-scope is obsoleted and removed from the repository to avoid the security means kernel.yama.ptrace_scope to get accidentally disabled again.

kernel.yama.ptrace_scope can break some functions of tools like gdb or strace (mostly debugger tools) if the functions are related to attaching the tool to other processes. Documentation to mitigate the debugger issues is provided in the Quick Docs’ “Troubleshooting” section: it might be necessary to disable kernel.yama.ptrace_scope temporarily or permanently when attaching gdb or other tools to processes, depending on user preferences. Keep in mind that this is an important security function to protect processes and contained data.

Last edited by @py0xc3 2025-09-12T09:15:38Z

Last edited by @py0xc3 2025-09-12T09:15:38Z

How do you feel about the proposal as written?

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply give that post a instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

FESCo might be able to evaluate this more reliably

A lot of trust is put in FESCo. This warms my heart, but, unfortunately, FESCo cannot be tasked with doing in-depth research. Some of us might be experts on specific topics, but we certainly are not experts on all topics. If FESCo has questions, it’s just go back to the Change Owners and ask for an explanation

the introduction of the package elfutils-default-yama-scope took place and it became originally a dependency of tools like gdb, and its only purpose is to only disable the (theoretically defaulted) ptrace_scope. However, this is a problematic practice, it breaks with the average assumption many people work with and that they propagate (installed tools/applications do not hurt/impact except using some space),

I don’t think this assumption is entirely true. We do have various packages which “change behaviour”. The most obvious examples are various packages which provide dnf repo definitions. There is also zram-generator-defaults and systemd-oomd-defaults. elfutils-default-yama-scope fits in the same pattern. It’s fine to have such packages. The problem is that elfutils-default-yama-scope is pulled in via dependencies, not that it exists.

In general, I think this is a good change. The default should be to make the system safe. The number of people who regularly use debugging tools are small… I would guess <10% of the developers, i.e. a minuscule number compared to the total user base.

I have doubts about kernel.yama.ptrace_scope = 2. If we default to this, we encourage people to do debugging under sudo, which is quite wrong. 1 seems to be a much more reasonable setting. Being able to trace a child process doesn’t seem to have much security implications… After all, you generally fully control how the child is spawned, to there is no need to use a roundabout way to control the child.

Agreed. But for additional brownie points, it’d be great to teach gdb and other tools to give a good hint when ptrace fails with a permission error, for example linking to this documentation page. For related work, see how gdb gives a hint to use dnf to install debuginfo packages:
Missing rpms, try: dnf --enablerepo='*debug*' install glibc-debuginfo-2.41-5.fc42.x86_64 libacl-debuginfo-2.3.2-3.fc42.x86_64

EDIT: I forgot to add: net.core.bpf_jit_harden=2 seems fine. IIUC, it could maybe have an impact on systems that use a lot of BPF, e.g. some network servers that do filtering and such. But that is very niche, so this seems to be a reasonable default.

OTOH, kernel.kptr_restrict=2 seems bad. It would only matter to people who compile their own kernels, and, IIUC, it would break perf. 1 semes to be a better default.

I will read your comments tomorrow more thoroughly and then add more information if necessary. However, what catched my eye already at skimming:

I have no problem with that. As indicated, the most critical thing here is to get it at least to “1”. “2” might be a nice addition, but most attack/vulnerability scenarios about this are mitigated already by 1.

I admit, I am not sure if the incentives about sudo are much different between “1” and “2” in ptrace_scope, as I am not convinced if debugging on average takes place on child processes (this reminds me on the case we discussed in the original topic), which as you indicate are likely the major cases of “1” allowing ptrace in practice, but if there are doubts about 2, I think 1 is better than risking a DoS on some users → my experience with gdb is limited, wasn’t using it for years and never regularly, so I never had a routine with it or so. Maybe you can elaborate your point though? So scenarios in which 1 makes the difference about sudo on average? (=cases of people using gdb where it can be expected that “1” will never force them to adjust ptrace_scope or to sudo, etc.)

My point here would be that if it becomes necessary occasionally, then people will get used to it anyway if they work with bad practices and just go sudo when something doesn’t work immediately. Others will find out about the background and mitigate (if documentation is there:). But if there is indeed a user group that can be “saved” from getting used to bad practices by sticking with “1”, I would not stand in the way and agree that “1” can be a good compromise then.

Theoretically, yes, but practically, it can make a difference even then, but this is what I meant here (our case → all use the same kernel, not compiling on themselves):

I will write something about this tomorrow.

A post was split to a new topic: Errors in change proposals when transferring from wiki to Discourse & announcement mailing list

The difference is that 1 allows an unprivileged user to start a program through gdb/strace/etc.:

gdb --args some-program a b c
strace some-program e f g

WIth kernel.yama.ptrace_scope = 2both are denied.

I think that starting programs through strace, rather than attaching strace to an already running program, is the most common use by far. I guess that for gdb the use is more mixed, but it’s very common too.

Please explain.

Please explain.

Regarding kptr_restrict, I did immediately after the sentence you cited So I was referencing the part of the proposal that explains it. Discourse is broken again in my Firefox anyway so I cannot cite at the moment, so to avoid confusion I copy/paste the relevant part. See below:

although in our case it could be possible that attackers might be able to mitigate kptr_restrict, the level of experience will change: in some circumstances, using a kernel exploit can be as easy as a google search with copy/paste, and be taught early in average (online) pentesting courses. Yet, the means that become necessary in cases that are related to kptr_restrict, deep expert knowledge might become necessary to use an exploit, if possible at all.

→ The point is, I had to collaborate much with pentesting people in some parts of my career (though some years ago), and I had to do myself some SANS courses about it. Kernel exploits are sometimes as easy to use as a google search, or search within a tool, and copy/paste a command or two. Surely this is not always the case and usually applies only once there is already a type of access to the system (so it can be part of privilege escalation). However, while using a kernel exploit can be something pentesters know early given that it will not need much additional knowledge compared to what they did on their way to the point they can use it (though there might be differences between different exploits in necessary knowledge), taking the Fedora kernel and reproduce symbol addresses in order to prepare an exploit to work out on another Fedora installations with that kernel will need a different level of knowledge. And you will not get this done by copy/paste one command (which sometimes can be what is necessary to use an kernel exploit if some user credentials or so already give basic access to the system). So the average pentesting courses will not bring you to that point early, if at all, while I assume people with that level of knowledge have mostly better ways to make their money.

This is now a subjective perception and it can be questioned if it is representative, but it is what I had in mind often when working on this: I think that the vast majority of pentesters I met, who already used kernel exploits in some scenarios, would have been not able to do this in an acceptable amount of time (if at all), in any case did not know of such depths off the cuff. I would simplify that this limits attacks from people who can use kernel exploits to those who can code them on themselves, which is the minority of those active in such fields. I have to add myself to this list: I had been able to use kernel exploits, but I actually would need to start from scratch to get into reproducing the kernel symbol addresses → there needs to be a noteworthy return on investment as it would need time to get into this (I don’t know off the cuff how much time that would need for me tbh:)

I clearly presume here that potential/likely attackers for average Fedora users have a comparable level of knowledge than average pentesters, and are not the maintainers of Arch Linux or so Hope that makes sense?

it would break perf
I will write something about this tomorrow.

This is what makes me think too. I came to the conclusion that for average users this shall not be a problem, and it is nothing for which we should get rid of increased security. I presumed that those who work with such tools on Fedora are likely deeply embedded with the community anyway to get to the information if not known in advance (not sure if our kernel regression test scripts need an update here?), or found some documentation about it. I saw that the Fedora documentation about this seems limited to the Magazine (which I considered indication it is not in wider use) → not sure if it is possible to add an appendix to an article that adds a clarification for F44+ ( @glb is that possible/intended? So to create a short amendment for such articles? With acceptance of the author of course).

Anyway, I agree that if there are doubts, “1” should be fine for the beginning and mitigate most vulnerability scenarios regarding kptr_restrict, and FESCo might consider “1” if they are not convinced too: it is most important to get either 1 or 2 in order to get rid of 0, and we should avoid to get another SELinux dilemma

Keep in mind that we regularly experience users in ask.fedora who are not aware that they no longer get updates after 6 months if they don’t upgrade. This is not a daily thing of course, but it is more likely on Fedora than on other systems given the short life-cycles, and as much as we want to propagate this information, we will not reach everybody who downloads and installs Fedora (or buys a notebook with it - not knowing about it at all): they sometimes do their daily updates and don’t wonder if nothing new comes up (or think everything is done in the background). Complement this with untrusted packages or a service daemon with weak credentials, and we have a realistic scenario.

The difference is that 1 allows an unprivileged user to start a program through gdb/strace/etc.:

Regarding ptrace_scope, I meant the difference in practice for cases, not difference between 1 and 2 So cases in which it can be assumed that 1 solves the issue at all while 2 does not because if 1 solves it just sometimes, the issue is there anyway and the person is likely to either use good practice and solve the problem themselves (for which we provide documentation then), or get used to bad practices and just go sudo once sometimes does not work.

I think that starting programs through strace, rather than attaching strace to an already running program, is the most common use by far.

I agree to that.

I guess that for gdb the use is more mixed, but it’s very common too.

I agree to that too, and that it is usually a mix is the point I meant. They will likely find out that in some cases, it no longer works (for which we provide then documentation), so they either search for a solution and we have to ensure there is one that is easy to find, or they just go sudo anyway once they see that both cases does work there.

However, you added an important point: if we take “2” in ptrace_scope, this implication needs to be considered in the documentation explicitly as well, including elaborating the behavior what exactly works only with sudo and what not (mostly to make the finding of the page easier). So I expand my offer about documentation to this: if we take 2, and if I am provided with relevant information (relevant error logs and behaviors and affected tools) about this, I would add something to the documentation about this too. This should be all on the same page anyway.

That said, I have mixed feelings myself about this, and I understand your point. Personally, I think “2” would be better as we need a documentation anyway. But I could understand if FESCo would decide that the default sticks with “1” as it mitigates most problem scenarios (in any case the most realistic ones), though not all. Most important to have either 1 or 2, and get rid of 0

Agreed. But for additional brownie points, it’d be great to teach gdb and other tools to give a good hint when ptrace fails with a permission error, for example linking to this documentation page. For related work, see how gdb gives a hint to use dnf to install debuginfo packages:

The deeper this gets, the more others need to take over / contribute to the documentation. As I don’t use these tools, I would limit myself to provide the pages with the necessary information to mitigate impacts of “1”/“2” (as far as I am provided with the necessary information):

• this is the behavior that can occur with these tools respectively,
• these are the error logs,
• this is the reason, and
• this is what you can/should do
• (this is not SELinux → link at SELinux troubleshooting to the actual troubleshooting page of this case)

→ so far, this would be about the impact of ptrace_scope at all, and if we take “2”, then also an addition that briefly elaborates the additional issue with “2”, as far as necessary.

I don’t think this assumption is entirely true. We do have various packages which “change behaviour”. The most obvious examples are various packages which provide dnf repo definitions. There is also zram-generator-defaults and systemd-oomd-defaults. elfutils-default-yama-scope fits in the same pattern. It’s fine to have such packages.

The presumption is true in terms of this is how it is handled in this community, in Discourse, and how we propagate and treat cases. This starts with the arguments in the regular discussions of what tools should be contained by default in Fedora variants and what not. However, I agree that there are more cases, as you say: yet, the presumption works well for most users who do not want/need to get more deeply into this even if it is not “mathematically true”, as at least as far as I know/saw them, other changes do not impose security- or stability issues that can have a realistic negative impact, nor do they disable security- or stability-relevant features. Not sure if your examples fall into such a category? If so, I indeed would argue that we should work on this, though it would go beyond this proposal

The problem is that elfutils-default-yama-scope is pulled in via dependencies, not that it exists.

The problem is that what has occurred can occur again. We have now proof that it can occur, and it remained unconsidered for long. This is what I consider a proof that it is a bad practice in cases in which security or stability impacts are realistic. It is fine to have packages that impose changes but only as long as they have no security or stability impact.

That said, I could imagine there are other solutions for such packages too (so without removing them at all), but something should be put in place to explicitly avoid the issue that we now know can happen, and that it can happen without consideration for long However, as I am not a package maintainer & have limited experience with the practice in our package maintaining, my repertoire is limited, but we should be indeed open to alternatives to my suggestion to remove the package, as long as negative security and stability impacts can be excluded.

bpf_jit_harden

I once totally disabled BPF JIT on one of my system and had not encountered any issue, but that’s just me with my own workload. Theoretically JIT restriction should’t result in function change, only performance issue in worst cases.

elfutils-default-yama-scope

I’m kind of curious how did such a package pass Fedora’s QA? I don’t think anyone should create a package just to modify a system’s ptrace_scope settings (and it’s applied on boot, not even considering if gdb is actually used?). And it turned out to be in a default installation of F42, so basically all (desktop) installations didn’t have ptrace_scope set to 1 as originally intended.

Maybe we can introduce a screening process for packages that add configuration files to /usr/lib/sysctl.d and other places where there’s risk of downgraded system security, to avoid it happen in the future?

break perf

Before I started using Fedora I was on Debian and they already have all users (except root) banned from using perf with this patch. I think it’s fine if most non-developer user lost ability to perf because they won’t be using it anyway.

kptr_restrict=2

I think kptr_restrict=2 could be beneficial in some cases (like not being able to attack kernel even as root) but the potential disruption could be unworthy. Is there known programs that depends on kallsyms to work?

Yes, that is possible. Just let the editors know if it needs to be done and we’ll try to contact the author to get permission to update the article. Thanks.

Note that this bz indicates that by-default inclusion of the elfutils sysctl was by no means accidental. It was on purpose, to work around an undesirable upstream-unilateral kernel default change. If this were reopened, an alternate method for easy setting this status quo would be appropriate, and ideally automated with the installation of any known ptrace-client tools (gdb, elfutils, strace, etc.).

I would like to see a bit more details in the suggested Release Notes, at least when it comes to kernel.yama.ptrace_scope. strace is my goto tool when all else fails. I might be unusual, but I’m not unique in that. The strace might be on an already running process, not necessarily a child started by strace. Given the suggested Release Notes, I probably wouldn’t have realised I might want to tweak kernel.yama.ptrace_scope. The notes should not go into the full details of course, but they ought to mention that strace and gdb will be blocked by the change, which would be enough for someone like me to take a look at what it actually means.

EDIT: If a hint from the tools is implemented, this becomes less important.

Please read the proposal, as it tackles all your points mentioned. Also, in the original discussion about this change, the “accident” was more deeply discussed (though the result is more or less what is written in the proposal). Anyway, to still provide a specific response about your points:

It was accidental that it became a dependency on the whole operating system, including for target audiences more vulnerable to attack scenarios mitigated by ptrace_scope.

This change is an important security feature that mitigates an attack realistic for many audiences, and it is a consensus of the kernel community, and shared by several distribution communities (at least those I checked; e.g. Arch and Ubuntu) that it is important to keep: given the limited availability of packages on Fedora (especially concerning proprietary), but also potentially our issues of some packages being not updated for sometimes years without users knowing, it could be argued that our users might be more vulnerable than some others, but at least the same. This is much about users passwords, credentials, personal data transferred, etc.

It is undesirable, if at all, only for one target audience that does not make the majority, and even for people using gdb I would not presume that all of them want this feature to be disabled permanently, especially as this can be one command before and after using gdb in a related environment. The decision should be theirs. Also, don’t forget the “common assumption” mentioned in the proposal that is usually propagated when users ask how to remove packages or when they complain that too much stuff is installed by default. Most users exercise this intuitively → they might test gdb to see what it makes, maybe just out of curiosity, and then leave it - assuming it does nothing except using some space.

Such a package, even if we had a means to explicitly ensure it is just installed with gdb or strace, disables an important security feature that aims to protect them and their private data, systemwide permanently, and people are not told about it.

Keep in mind we bought ourselves intentionally average users as target audience, any many of them depend on such security measures because installing third party stuff is widespread and knowledge often not that high to understand implications, that is why we thus also brought us the responsibility for some security by default.

That would be nice, but unrealistic. I am open to alternatives though, but I am not sure if ptrace_scope can be enabled for gdb/strace on user level the way we need it without effectively disabling it. Documentation remains the sole solution I can identify, and the earlier bug tickets about the issue show that affected people were seeking immediately documentation, but nothing was there → I read the bug tickets the way that if documentation would have been available, the tickets might have not been opened (that’s why I also want to mention the issue in SELinux troubleshooting pages with a link to the actual troubleshooting page about the issue, given the assumptions of affected users in the past when searching Docs about it). We have to do better this time, that’s why I added the obligation to my proposal to create the dedicated troubleshooting docs page about this if users of gdb and such provide me with the mentioned information (plus updating the SELinux Docs troubleshooting page to mention and reference it).

That’s a great point, indeed. I will update the proposal this week to have a hint contained in the release notes about what will happen to applications like gdb and strace, but also a hint that docs are available and maybe about where (e.g., see troubleshooting section in quick docs).

I have updated the change proposal’s “Release Notes” section to consider the suggestion of @goeran but also to generally improve them in some respects (both Discourse and wiki have been updated).

Let me know if another optimization is necessary or if I missed something.

I will open a Docs topic today or tomorrow to start checking with the Docs team how to implement a Docs page for this best. I consider it necessary to have the Docs page online at the time of the release that contains this change.

If the proposal will be accepted, the planned Docs page will be at:
Quick Docs → “Troubleshooting” section → “Troubleshooting debugger problems (gdb, strace, related tools)”

This will go along with an update of the following page …
Quick Docs → “SELinux” section → “Troubleshooting SELinux”
… in order to ensure that people who presume this is a SELinux issue find a page section within the SELinux page that elaborates shortly the issue, that the issue is not SELinux-related, and provide a link to the actual page that elaborates the issue.

But keep in mind that it will be necessary that people provide me with the data of how gdb, strace, and potentially other tools, behave, especially error outputs, and whatever is necessary or useful to create a Docs page that can be easily found and then link the very issue people experience to ptrace_scope. I do the rest.

(supplement: feel free to suggest alternatives, if you think another place would be more advantageous for the related Docs pages)

Related topic of the Docs team about this: New Quick Docs page necessary for change proposal (upstream kernel change will cause issues to debuggers)

This change proposal has now been submitted to FESCo with ticket #3471 for voting.

To find out more, please visit our Changes Policy documentation.

Historically launching through strace was probably most common, but in the modern container age IME the situation has changed significantly. Containers often won’t have strace installed, or if it is, then it is inconvenient to change the startup sequence of the program to be debugged via strace. It is thus significantly more common these days to attach strace to an already running program, as was already common with gdb. IOW, I don’t think it is reasonable to make an assumption that strace is primarily used for launching not attaching.

NB, this set of people is not merely developers. It can include any Fedora user. When Fedora users file bug reports it is not uncommon to ask them to collect debugging information via strace/gdb. So there will be a impact in the need to request them to change to root to alter sysctl values, before they can collect the requested debug info, and then remind them to change the sysctl back again afterwards.

I am not sure if I agree it is widespread to tell people to use gdb in bug reports. Actually, I have seen none, although I believe you that this exists → surely I do read only a minority of reports and many categories not at all. However, when we reach the point that makes it realistic to ask a user to use gdb and provide feedback, we usually have asked them before to provide system logs, which already forces them to go sudo. I think adding to the request that they shall enter one more command to temporarily disable ptrace_scope until the next boot should not make a difference. I’m sure there are also bug reports in openSuSE, Arch and Ubuntu

But I agree that the developers asking them need to know about it, which leads back to the documentation that needs to be available and easy to find when people experience the gdb issue. We will have three records for three reasonings to find the documentation:

GDB is broken, I need troubleshooting gdb: → quick docs → “troubleshooting” section → “Troubleshooting debugger problems (gdb, strace, related tools)”

GDB is broken, that surely is another SELinux issue (which seems many if not most people thought in 2015 when this occurred the first time): → quick docs → “SELinux” section → “Troubleshooting SELinux” (a section about this will be added and linking to the above docs)

GDB is broken after I upgraded, I have to check the release notes: → release notes will elaborate and link to the Docs

Also, there will be a Discourse topic about it. And both Discourse and our Docs are well ranked in search queries on search engines.