I just noticed that both the Ptrace Protection with Yama LSM sandboxing statuses in Brave are showing as No (
brave://sandbox). This is because openSUSE doesn’t enable
ptrace_scope by default, even though its kernel is built with
CONFIG_SECURITY_YAMA=y. See more about this kernel feature here.
ptrace_scope is enabled on Ubuntu since 10.10, though.
On openSUSE, running
cat /proc/sys/kernel/yama/ptrace_scope will return
ptrace_scope is not enabled yet. Therefore, by enabling
ptrace_scope, the sandboxing status Ptrace Protection with Yama LSM (Broker) in Brave or any Chromium-based browsers will be showing as Yes.
However, the Ptrace Protection with Yama LSM (Non-broker) is still showing as No unless I also
cap_sys_ptrace capability to
eip on Brave by:
sudo setcap cap_sys_ptrace=eip /opt/brave.com/brave/brave
But doing so will make Layer 1 Sandbox sandboxing status turning to SUID with the yellow color marked (it’s green by default with Namespace as its value). I believe it’s not a good thing, so I cleared the
setcap on Brave.
I have 2 questions:
- Is Ptrace Protection very important? If so, why some distros haven’t enabled it by default?
- How can I make all the sandboxing statuses green in Chromium-based browsers? If it’s impossible, which one should have to be green, Ptrace Protection with Yama LSM (Non-broker) or Layer 1 Sandbox?
From my brief finding, it seems Layer 1 Sandbox should stay the way it’s, Namespace. Only when namespaces aren’t available, Yama LSM Enforcing/Ptrace Protection with Yama LSM (Non-broker) is available as an alternative mode, see here1, and here2.
Basically, only Ptrace Protection with Yama LSM (Broker) should be enabled as an additional security feature. Anyone can enable this feature by copying the
yama.conf file from
/etc/sysctl.d/. Then, change
kernel.yama.ptrace_scope value inside the file from
1 (the default value on Ubuntu).
EDIT: my current
brave://sandbox on openSUSE with Ptrace Protection enabled:
|Layer 1 Sandbox
|Seccomp-BPF sandbox supports TSYNC
|Ptrace Protection with Yama LSM (Broker)
|Ptrace Protection with Yama LSM (Non-broker)
Interestingly, brave includes /usr/lib/sysctl.d/53-brave.conf
which have these contents:
Recommended kernel settings for the Chromium sandbox (see chrome://sandbox)
#kernel.yama.ptrace_scope = 1
but it’s commented out for some reason… who knows why
I would assume the reason it’s commented out is that this setting would affect not only Brave, but also all others Chromium-based browsers and how the system work in this regard.
Nevertheless, it’s a good setting and should be enabled regardless. I also open a request to have this enable by default on openSUSE, see SUSE Bug 1217051.
EDIT: ptrace_scope=1 request has been merged upstream, see Restrict ptrace with Yama LSM by default by jsegitz · Pull Request #138 · openSUSE/aaa_base · GitHub