linux config: enable the Yama LSM (#14392)

The Yama Linux Security Module restricts the use of ptrace so that
processes cannot ptrace processes that are not their children. This
prevents attackers from compromising one user-level processes and
snooping on the memory and runtime state of other processes owned
by the same user.
This commit is contained in:
Aneesh Agrawal 2016-10-08 10:40:12 -04:00 committed by Franz Pletz
parent ce7739a4dd
commit a000ed181c

View File

@ -284,6 +284,7 @@ with stdenv.lib;
RANDOMIZE_BASE? y
STRICT_DEVMEM y # Filter access to /dev/mem
SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
SECURITY_YAMA y # Prevent processes from ptracing non-children processes
DEVKMEM n # Disable /dev/kmem
${if versionOlder version "3.14" then ''
CC_STACKPROTECTOR? y # Detect buffer overflows on the stack