Yama
E724151
Yama is a Linux Security Module that enhances process and ptrace-related security by restricting how processes can inspect or interfere with each other.
Statements (46)
| Predicate | Object |
|---|---|
| instanceOf |
Linux Security Module
ⓘ
kernel security feature ⓘ |
| aimsTo |
limit information disclosure between processes
ⓘ
mitigate privilege escalation attacks ⓘ reduce attack surface from ptrace ⓘ |
| canBe |
built as kernel module
ⓘ
built into kernel ⓘ |
| category |
computer security software
ⓘ
operating system security ⓘ |
| configurationInterface |
/proc/sys/kernel/yama
ⓘ
sysctl ⓘ |
| controls |
how processes can inspect each other
ⓘ
how processes can interfere with each other ⓘ ptrace access between processes ⓘ |
| defaultPolicy | allow ptrace with traditional restrictions when scope is 0 ⓘ |
| designedTo | be simple and low-overhead ⓘ |
| hasKernelConfigOption | CONFIG_SECURITY_YAMA ⓘ |
| implementedIn | Linux kernel NERFINISHED ⓘ |
| integratesWith | Linux Security Modules framework NERFINISHED ⓘ |
| introducedFor | hardening Linux distributions ⓘ |
| license | GNU General Public License ⓘ |
| operatingSystem | Linux ⓘ |
| policy |
no attach; only children may be traced when scope is 3
ⓘ
restrict ptrace to admin-only attach when scope is 2 ⓘ restrict ptrace to parent processes when scope is 1 ⓘ |
| primaryFunction |
enhance process-related security
ⓘ
enhance ptrace-related security ⓘ |
| provides |
additional restrictions on ptrace
ⓘ
defense in depth for process isolation ⓘ |
| ptraceScopeValue |
0
ⓘ
1 ⓘ 2 ⓘ 3 ⓘ |
| relatedTo |
AppArmor
NERFINISHED
ⓘ
SELinux NERFINISHED ⓘ Smack ⓘ TOMOYO Linux NERFINISHED ⓘ |
| restricts |
cross-uid ptrace in stricter modes
ⓘ
ptrace of non-child processes depending on policy ⓘ |
| scope |
debugging and tracing restrictions
ⓘ
process-level security ⓘ |
| securityModel |
discretionary access control
ⓘ
mandatory access control aspects ⓘ |
| supports |
per-system security policy tuning
ⓘ
ptrace_scope setting ⓘ |
| usedBy | various Linux distributions as default hardening ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.