From a52c4e60c3df29cc6bdb7ef9f588f3c803cf9e8b Mon Sep 17 00:00:00 2001 From: Amrita Date: Tue, 7 Apr 2026 15:12:46 +0530 Subject: [PATCH 1/8] toc-structure --- DC-SAP-lsm | 15 +++++ DC-SLES-lsm | 15 +++++ articles/lsm.asm.xml | 141 +++++++++++++++++++++++++++++++++++++++++ concepts/intro-lsm.xml | 62 ++++++++++++++++++ 4 files changed, 233 insertions(+) create mode 100644 DC-SAP-lsm create mode 100644 DC-SLES-lsm create mode 100644 articles/lsm.asm.xml create mode 100644 concepts/intro-lsm.xml diff --git a/DC-SAP-lsm b/DC-SAP-lsm new file mode 100644 index 000000000..370b2885e --- /dev/null +++ b/DC-SAP-lsm @@ -0,0 +1,15 @@ +# This file originates from the project https://github.com/openSUSE/doc-kit +# This file can be edited downstream. + +MAIN="lsm.asm.xml" +# Point to the ID of the of your assembly +SRC_DIR="articles" +IMG_SRC_DIR="images" + +PROFOS="sles4sap" +PROFCONDITION="16.0" +#PROFCONDITION="suse-product;beta" +#PROFCONDITION="community-project" + +STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns" +FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns" \ No newline at end of file diff --git a/DC-SLES-lsm b/DC-SLES-lsm new file mode 100644 index 000000000..708968e04 --- /dev/null +++ b/DC-SLES-lsm @@ -0,0 +1,15 @@ +# This file originates from the project https://github.com/openSUSE/doc-kit +# This file can be edited downstream. + +MAIN="lsm.asm.xml" +# Point to the ID of the of your assembly +SRC_DIR="articles" +IMG_SRC_DIR="images" + +PROFOS="sles" +PROFCONDITION="16.0" +#PROFCONDITION="suse-product;beta" +#PROFCONDITION="community-project" + +STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns" +FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns" \ No newline at end of file diff --git a/articles/lsm.asm.xml b/articles/lsm.asm.xml new file mode 100644 index 000000000..f47228e92 --- /dev/null +++ b/articles/lsm.asm.xml @@ -0,0 +1,141 @@ + + + + %entities; +]> + + + + + + + + + + + + Introduction to the Linux Security Module Framework + + 2026-04-07 + + + Initial version + + + + + + + + + + Smart Docs + + + + Administration + Configuration + Security + + + + + + https://bugzilla.suse.com/enter_bug.cgi + Documentation + SUSE Linux Enterprise Server 16.0 + SUSE Linux Enterprise Server 16.0 + amrita.sakthivel@suse.com + + yes + + + + + &x86-64; + &power; + &zseries; + &aarch64; + + + + + &productname; + + + + Introduction to Ansible Core + Learn how to simplify IT tasks and system management using Ansible core + + + Use Ansible automation platform to efficiently automate IT tasks + + + + + WHAT? + + +Ansible is an IT automation tool that simplifies configuration management, application deployment and +task orchestration by enabling you to define infrastructure as code in a simple way. + + + + + WHY? + + +Learn how to automate IT infrastructure with Ansible, from installation and configuration, to creating +inventory files and a playbooks. + + + + + EFFORT + + +The average reading time of this article is approximately 40 minutes. + + + + + REQUIREMENTS + + + + +Linux fundamentals: Understanding basic Linux commands, file permissions, directory structures +and use of the command line. + + + + +Networking: Ansible connects to remote machines via SSH so knowledge of IP addresses, SSH, host names and ports is required. + + + + +YAML: Ansible playbooks are written in YAML, so knowing how to structure a YAML file is essential. + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/concepts/intro-lsm.xml b/concepts/intro-lsm.xml new file mode 100644 index 000000000..4d9e40ff4 --- /dev/null +++ b/concepts/intro-lsm.xml @@ -0,0 +1,62 @@ + + + %entities; +]> + + + + + + + About the Linux Security Module Framework + + + +The LSM (Linux Security Module) framework is a modular architecture within the Linux kernel that allows for the implementation of various security models, primarily MAC (Mandatory Access Control). + + + + +Rather than hard-coding a specific security policy into the kernel, LSM provides a set of hooks at every critical system call,such as opening files, creating sockets, or starting processes that allow security modules like &selnx;, AppArmor, or Yama to verify actions. +When a process attempts a sensitive operation, the kernel triggers these hooks to ask the loaded security module for permission; if the module's specific policy denies the request, the action is blocked even if the user has root privileges. +This framework ensures that Linux remains flexible, allowing users to choose or stack different security layers based on their specific needs for system hardening. + +
+ How LSM works? + Whenever a process tries to access an object like opening a file, sending a network packet, or creating a directory, the kernel first performs its standard DAC (Discretionary Access Control). This is the basic root versus user or read/write/execute permission check. +If the DAC allows it, the LSM framework then steps in: + + +The kernel calls a hook which is a redirection point. + + + The Security Module, for example &selnx; checks its own specific policy. + + + The security module then returns a decision; Allowed or Denied. + + +You can check which security modules are currently initialized on your Linux system: +cat /sys/kernel/security/lsm +lockdown,capability,landlock,yama,selinux,bpf,ima,evm + +
+
+ Why is LSM important? + Before LSM was introduced, users who want to add a new security feature to Linux had to hack the kernel code directly. + LSM solved this by: + + Standardization: It created a stable interface so security developers did not have to rewrite their code every time the kernel updated. + Modularity: It allows users to choose the security model that fits their needs, for example, AppArmor for ease of use or &selnx; for high-security environments. + Stacking: Modern kernels allow you to stack multiple modules, so you can run something like Yama to protect against ptrace attacks alongside AppArmor. + +
+ \ No newline at end of file From 081a4fe9271bdf0060886cf48af61fb72c77939b Mon Sep 17 00:00:00 2001 From: Amrita Date: Tue, 7 Apr 2026 15:44:45 +0530 Subject: [PATCH 2/8] yama --- articles/lsm.asm.xml | 3 ++- concepts/intro-lsm-yama.xml | 31 +++++++++++++++++++++++++++++++ concepts/intro-lsm.xml | 2 +- 3 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 concepts/intro-lsm-yama.xml diff --git a/articles/lsm.asm.xml b/articles/lsm.asm.xml index f47228e92..9e128219d 100644 --- a/articles/lsm.asm.xml +++ b/articles/lsm.asm.xml @@ -14,7 +14,7 @@ - + @@ -132,6 +132,7 @@ and use of the command line. + diff --git a/concepts/intro-lsm-yama.xml b/concepts/intro-lsm-yama.xml new file mode 100644 index 000000000..d8c41ce94 --- /dev/null +++ b/concepts/intro-lsm-yama.xml @@ -0,0 +1,31 @@ + + + %entities; +]> + + + + + + + Introduction to the YAMA security module + + + +Yama is a Linux security module designed to enhance system-wide security by implementing DAC (Discretionary Access Control) for certain kernel functionalities. +It focuses on restricting the use of the ptrace system call, which is commonly used for debugging but can also be exploited for malicious purposes. + + + + + + + \ No newline at end of file diff --git a/concepts/intro-lsm.xml b/concepts/intro-lsm.xml index 4d9e40ff4..966d53a43 100644 --- a/concepts/intro-lsm.xml +++ b/concepts/intro-lsm.xml @@ -59,4 +59,4 @@ lockdown,capability,landlock,yama,selinux,bpf,ima,evm Stacking: Modern kernels allow you to stack multiple modules, so you can run something like Yama to protect against ptrace attacks alongside AppArmor. - \ No newline at end of file + \ No newline at end of file From 25f217bbda4adff62036fa087c625b88afc344e9 Mon Sep 17 00:00:00 2001 From: Amrita Date: Wed, 8 Apr 2026 13:36:15 +0530 Subject: [PATCH 3/8] yama-intro --- concepts/intro-lsm-yama.xml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/concepts/intro-lsm-yama.xml b/concepts/intro-lsm-yama.xml index d8c41ce94..cecc0be10 100644 --- a/concepts/intro-lsm-yama.xml +++ b/concepts/intro-lsm-yama.xml @@ -21,11 +21,14 @@ Yama is a Linux security module designed to enhance system-wide security by implementing DAC (Discretionary Access Control) for certain kernel functionalities. -It focuses on restricting the use of the ptrace system call, which is commonly used for debugging but can also be exploited for malicious purposes. - +It focuses on restricting the use of the ptrace system call, which is commonly used for debugging but can also be exploited for malicious purposes. +ptrace is a short form of process call, which is a powerful system call that allows one process to observe, control, and manipulate another process. + - +The Yama module is vital because it addresses a fundamental weakness in the traditional Linux process model, where any process could freely peek and poke into the memory of any other process owned by the same user. +By introducing configurable scopes, most notably the restriction that a process can only trace its own descendants Yama prevents lateral movement by attackers. This means a compromised low-privilege application, like a Web browser or a chat client, cannot easily reach out to steal sensitive data from an SSH agent or a password manager running in the same session. +You can implement Yama which is selectable at build-time with CONFIG_SECURITY_YAMA and can be controlled at run-time through sysctls in /proc/sys/kernel/yama. \ No newline at end of file From a5e3d97c44006977bf51cf62055808d3ced3c1fb Mon Sep 17 00:00:00 2001 From: Amrita Date: Wed, 8 Apr 2026 14:13:11 +0530 Subject: [PATCH 4/8] steps --- articles/lsm.asm.xml | 3 ++- tasks/enable-yama-lsm.xml | 57 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 tasks/enable-yama-lsm.xml diff --git a/articles/lsm.asm.xml b/articles/lsm.asm.xml index 9e128219d..219556eb0 100644 --- a/articles/lsm.asm.xml +++ b/articles/lsm.asm.xml @@ -15,6 +15,7 @@ + @@ -133,7 +134,7 @@ and use of the command line. - + diff --git a/tasks/enable-yama-lsm.xml b/tasks/enable-yama-lsm.xml new file mode 100644 index 000000000..f7670f4c8 --- /dev/null +++ b/tasks/enable-yama-lsm.xml @@ -0,0 +1,57 @@ + + + + + %entities; +]> + + + + + + + Enabling the Yama Linux Security module + + + + + Using the Yama LSM is primarily an administrative task that involves interacting with the Linux kernel's sysctl interface. Since Yama is built into most modern kernels , you don't run it like a program; instead, you configure its ptrace_scope . + + + + + Setting Yama security levels + Verify that your kernel was compiled with Yama support. check for the existence of the Yama configuration file: + +ls /proc/sys/kernel/yama/ptrace_scope +If this file exists, Yama is active. If you get a No such file or directory error, Yama is likely not compiled into your kernel or not enabled as a security module at boot. + + +To see which mode your system is currently using, read the value of the ptrace_scope file: + +cat /proc/sys/kernel/yama/ptrace_scope + +0: Classic permissions (Least secure). +1: Restricted (Default on most systems; can only trace children). +2: Admin-only (Requires root). +3: Disabled (Highest security; cannot be changed without reboot). + + +You can change the security level temporarily to see how it affects your tools, for example, strace: +&prompt.sudo; sh -c 'echo 2 /proc/sys/kernel/yama/ptrace_scope' + If the level is already set to 3, you cannot lower it using this method. Level 3 is a lockdown mode that persists until the next system reboot. + + + + + + \ No newline at end of file From 6c3135d4e6403cce70844acbc337c69abaf377ad Mon Sep 17 00:00:00 2001 From: Amrita Date: Thu, 9 Apr 2026 12:57:54 +0530 Subject: [PATCH 5/8] steps --- tasks/enable-yama-lsm.xml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tasks/enable-yama-lsm.xml b/tasks/enable-yama-lsm.xml index f7670f4c8..c105fbb14 100644 --- a/tasks/enable-yama-lsm.xml +++ b/tasks/enable-yama-lsm.xml @@ -50,8 +50,19 @@ in the assembly --> &prompt.sudo; sh -c 'echo 2 /proc/sys/kernel/yama/ptrace_scope' If the level is already set to 3, you cannot lower it using this method. Level 3 is a lockdown mode that persists until the next system reboot. +sleep 100 & +Note the PID. +Open a separate terminal and try to attach to it; strace -p PID_NO. +If Yama level 1 is active, you will see: attach: ptrace: Operation not permitted. + - + Edit the sysctl configuration to make the Yama level permanent: +&prompt.sudo; vi /etc/sysctl.d/10-ptrace.conf +If the file does not exist, you can create it or edit /etc/sysctl.conf. +Add the following line and apply the change: +kernel.yama.ptrace_scope = 1 +&prompt.sudo; sysctl -p /etc/sysctl.d/10-ptrace.conf +Optional: If you want to ensure Yama is at level 3 (disabled) from the moment the system turns on, add yama.ptrace_scope=3 to your GRUB kernel boot parameters. \ No newline at end of file From a3cac27e2742bb9bfff075b2ff826a964e609827 Mon Sep 17 00:00:00 2001 From: Amrita Date: Thu, 9 Apr 2026 14:25:41 +0530 Subject: [PATCH 6/8] structure --- articles/lsm.asm.xml | 2 ++ concepts/intro-lsm.xml | 37 ++++++++++++++++++++++++++++++++++ tasks/yama-troubleshooting.xml | 33 ++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 tasks/yama-troubleshooting.xml diff --git a/articles/lsm.asm.xml b/articles/lsm.asm.xml index 219556eb0..e28b3a2a6 100644 --- a/articles/lsm.asm.xml +++ b/articles/lsm.asm.xml @@ -16,6 +16,7 @@ + @@ -135,6 +136,7 @@ and use of the command line. + diff --git a/concepts/intro-lsm.xml b/concepts/intro-lsm.xml index 966d53a43..846fadeee 100644 --- a/concepts/intro-lsm.xml +++ b/concepts/intro-lsm.xml @@ -48,6 +48,43 @@ If the DAC allows it, the LSM framework then steps in: cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,selinux,bpf,ima,evm +sysctl is a powerful interface used to examine and modify kernel parameters at runtime. However, because these settings can fundamentally change how the OS behaves, they are guarded by specific permissions. +When a setting is writable only with CAP_SYS_PTRACE, it means the kernel requires the process attempting the change to possess a specific capability. +The sysctl settings writable only with CAP_SYS_PTRACE are: + +sysctl settings explained + + + + Level + Name + Description + + + + + 0 + Classic + Regular Linux ptrace permissions (owner can attach). + + + 1 + Restricted + Only a parent process can ptrace its descendants. + + + 2 + Admin-only + Only processes with CAP_SYS_PTRACE can ptrace (usually root). + + + 3 + No-attach + Ptrace is disabled globally. Cannot be changed until reboot. + + + +
Why is LSM important? diff --git a/tasks/yama-troubleshooting.xml b/tasks/yama-troubleshooting.xml new file mode 100644 index 000000000..c1071f698 --- /dev/null +++ b/tasks/yama-troubleshooting.xml @@ -0,0 +1,33 @@ + + + + + + %entities; +]> + + + + Troubleshooting Yama + + + Troubleshooting Yama is essential because an overly restrictive ptrace_scope can silently break critical system operations, such as debugging with GDB or generating crash reports, directly impacting a developer's ability to diagnose software failures. + + Common troubleshooting scenarios include: + + + xx + xx + + + + \ No newline at end of file From fff9ac93578efea7e7530fd661711e70ce1939e0 Mon Sep 17 00:00:00 2001 From: Amrita Date: Thu, 9 Apr 2026 14:45:40 +0530 Subject: [PATCH 7/8] adds troubleshooting --- articles/lsm.asm.xml | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/articles/lsm.asm.xml b/articles/lsm.asm.xml index e28b3a2a6..b59db417f 100644 --- a/articles/lsm.asm.xml +++ b/articles/lsm.asm.xml @@ -73,11 +73,11 @@ - Introduction to Ansible Core - Learn how to simplify IT tasks and system management using Ansible core + Introduction to the Yama Linux Security Module + Understanding the Yama LSM is vital because it provides a foundational layer of defense-in-depth by restricting ptrace capabilities - Use Ansible automation platform to efficiently automate IT tasks + The Linux Security Module (LSM) framework is a critical component of the kernel because it allows the system to enforce Mandatory Access Control (MAC) policies that go beyond standard user permissions @@ -85,8 +85,7 @@ WHAT? -Ansible is an IT automation tool that simplifies configuration management, application deployment and -task orchestration by enabling you to define infrastructure as code in a simple way. + The LSM functions as a secondary, mandatory validation layer that intercepting system calls only after DAC has granted permission, ensuring that security policies are strictly enforced even if a user or process possesses ownership of a resource. @@ -94,8 +93,7 @@ task orchestration by enabling you to define infrastructure as code in a simple WHY? -Learn how to automate IT infrastructure with Ansible, from installation and configuration, to creating -inventory files and a playbooks. + Learn how to use and configure LSMs like Yama, as it enables you to transition from basic user-level security to a robust, hardened system capable of neutralizing zero-day exploits. @@ -117,17 +115,7 @@ The average reading time of this article is approximately 40 minutes. and use of the command line. - - -Networking: Ansible connects to remote machines via SSH so knowledge of IP addresses, SSH, host names and ports is required. - - - - -YAML: Ansible playbooks are written in YAML, so knowing how to structure a YAML file is essential. - - - + From b94bf71351c1ab980af57c031898c8e5f2865a51 Mon Sep 17 00:00:00 2001 From: Amrita Date: Fri, 10 Apr 2026 19:20:17 +0530 Subject: [PATCH 8/8] ref module --- articles/lsm.asm.xml | 2 ++ glues/lsm-more-info.xml | 27 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 glues/lsm-more-info.xml diff --git a/articles/lsm.asm.xml b/articles/lsm.asm.xml index b59db417f..ef33879f0 100644 --- a/articles/lsm.asm.xml +++ b/articles/lsm.asm.xml @@ -17,6 +17,7 @@ + @@ -125,6 +126,7 @@ and use of the command line. + diff --git a/glues/lsm-more-info.xml b/glues/lsm-more-info.xml new file mode 100644 index 000000000..7f21b2a92 --- /dev/null +++ b/glues/lsm-more-info.xml @@ -0,0 +1,27 @@ + + + %entities; +]> + + + For more information + + + + + + To learn more about the Linux Security Module usage: + . + + + + + \ No newline at end of file