Skip to content

feat: manage ptrace access using SELinux#2012

Draft
HastD wants to merge 2 commits intosecureblue:livefrom
HastD:ptrace-selinux
Draft

feat: manage ptrace access using SELinux#2012
HastD wants to merge 2 commits intosecureblue:livefrom
HastD:ptrace-selinux

Conversation

@HastD
Copy link
Copy Markdown
Collaborator

@HastD HastD commented Mar 5, 2026
edited
Loading

Use SELinux in combination with Yama (instead of just Yama) to manage ptrace access in a more fine-grained way. See issue #2007 for more detailed discussion of the motivation for this change.

  • Make kernel.yama.ptrace_scope default to 1 instead of 3.
  • Enable the SELinux boolean deny_ptrace by default.
  • Create a new SELinux boolean, container_allow_ptrace, that allows container_domain to use ptrace (irrespective of the deny_ptrace setting).
  • Replace ujust toggle-anticheat-support (alias ujust toggle-ptrace-scope) with ujust set-ptrace (alias ujust set-anticheat-support). The new ujust script is written in Python, follows the usage conventions for other ujust set-* scripts, and allows selecting between three modes for ptrace access: on/enabled, container-only, and off/disabled.
  • Make ujust toggle-debug-mode temporarily enable (restricted) ptrace for the session.
  • Add a systemd service, secureblue-ptrace-migration.service, that automatically migrates users to the new SELinux-based ptrace controls: values of kernel.yama.ptrace_scope of 1, 2, or 3 will be respectively mapped to the ptrace modes "enabled", "container-only", and "disabled" (all with ptrace_scope = 1).
  • Modify ujust audit-secureblue, ujust install-dangerzone, and ujust install-steam to take into account the new method of ptrace access management.

Resolves #2007.

@HastD HastD force-pushed the ptrace-selinux branch 3 times, most recently from 8d1bf45 to 01c3bae Compare March 6, 2026 17:13
@HastD
Copy link
Copy Markdown
Collaborator Author

HastD commented Mar 6, 2026

Results of testing in a silverblue-main-hardened VM:

  • /etc/sysctl.d/61-ptrace-scope.conf is removed
  • container_allow_ptrace SELinux boolean is present. Currently, even if container_allow_ptrace is false and deny_ptrace is true, container_runtime_t and spc_t can still use ptrace, but this is a policy error that I've already fixed upstream, it just hasn't made it into a release yet.
  • ujust set-ptrace works to change ptrace status (and has an alias ujust set-anticheat-support)
  • ujust audit-secureblue correctly detects ptrace status
  • ujust toggle-debug-mode temporarily enables ptrace
  • With kernel.yama.ptrace_scope set to 1 before rebase, secureblue-ptrace-migration.service runs successfully, sets deny_ptrace to false, removes /etc/sysctl.d/61-ptrace-scope.conf, and creates a stamp file in /var/lib/secureblue (to ensure it runs only once).
  • With ptrace_scope set to 2 before rebase, same as above except deny_ptrace and container_allow_ptrace are both set to true. ptrace_scope is still set at 2 for the first boot after update (because the migration service runs after /etc/sysctl.d is read), but gets set to 1 on the next boot.
  • With ptrace_scope set to 3 before rebase, same as above except deny_ptrace is set to true and container_allow_ptrace is set to false. ptrace_scope is set to 1 on the first boot after update in this case because /etc/sysctl.d/61-ptrace-scope.conf is unmodified before rebase, so it gets removed as part of the rebase rather than by the migration service.

@HastD HastD marked this pull request as ready for review March 6, 2026 20:46
@HastD HastD requested a review from RoyalOughtness as a code owner March 6, 2026 20:46
@HastD HastD mentioned this pull request Mar 9, 2026
Closed
@HastD HastD force-pushed the ptrace-selinux branch 2 times, most recently from 4483b16 to c86be73 Compare March 18, 2026 23:51
RoyalOughtness
RoyalOughtness reviewed Mar 19, 2026
View reviewed changes
Comment thread files/justfiles/common/wrappers.just Outdated
RoyalOughtness
RoyalOughtness reviewed Mar 19, 2026
View reviewed changes
Comment thread files/system/usr/lib/sysctl.d/55-hardening.conf
RoyalOughtness
RoyalOughtness reviewed Mar 19, 2026
View reviewed changes
Comment thread files/system/usr/lib/systemd/system/secureblue-ptrace-migration.service Outdated
RoyalOughtness
RoyalOughtness reviewed Mar 19, 2026
View reviewed changes
Comment thread files/system/usr/lib/systemd/system/secureblue-ptrace-migration.service Outdated
RoyalOughtness
RoyalOughtness requested changes Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@RoyalOughtness RoyalOughtness left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see above

@HastD
feat: manage ptrace access using SELinux
90745f3 
Use SELinux in combination with Yama (instead of just Yama) to manage
ptrace access in a more fine-grained way. See issue secureblue#2007 for more
detailed discussion of the motivation for this change.

* Make `kernel.yama.ptrace_scope` default to 1 instead of 3.
* Enable the SELinux boolean `deny_ptrace` by default.
* Create a new SELinux boolean, `container_allow_ptrace`, that allows
  `container_domain` to use ptrace (irrespective of the `deny_ptrace`
  setting).
* Replace `ujust toggle-anticheat-support` (alias `ujust
  toggle-ptrace-scope`) with `ujust set-ptrace` (alias `ujust
  set-anticheat-support`). The new ujust script is written in Python,
  follows the usage conventions for other `ujust set-*` scripts, and
  allows selecting between three modes for ptrace access: on/enabled,
  container-only, and off/disabled.
* Make `ujust toggle-debug-mode` temporarily enable (restricted) ptrace
  for the session.
* Add a systemd service, `secureblue-ptrace-migration.service`, that
  automatically migrates users to the new SELinux-based ptrace controls:
  values of `kernel.yama.ptrace_scope` of 1, 2, or 3 will be
  respectively mapped to the ptrace modes "enabled", "container-only",
  and "disabled" (all with ptrace_scope = 1).
* Modify `ujust audit-secureblue`, `ujust install-dangerzone`, and
  `ujust install-steam` to take into account the new method of ptrace
  access management.
@HastD HastD requested a review from RoyalOughtness March 19, 2026 23:15
RoyalOughtness
RoyalOughtness approved these changes Mar 25, 2026
edited
Loading
View reviewed changes
@HastD HastD marked this pull request as draft March 25, 2026 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RoyalOughtness RoyalOughtness RoyalOughtness approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEAT] Restrict ptrace access using SELinux

2 participants

@HastD @RoyalOughtness