By DarrenMoffat on Feb 19, 2013
The Linux YAMA Loadable Security Module (LSM) provides a small number of protections over and above standard DAC (Discretionary Access Controls). These can be roughly mapped over to Solaris as follows:
This protects against creation of hardlinks to files that a user does not have access to. For some strange reason POSIX still requires this behaviour.
Closest Solaris equivalent is removing the file_link_any basic privilege from a process/service/user, the description of file_link_any is:
Allows a process to create hardlinks to files owned by a uid different from the process' effective uid.
This YAMA protection is designed to protect process running as the same uid from being able to attach to each other and trace them using PTRACE.
For mapping this to Solaris I'd recommend removal of two of the proc basic privileges, this will actually exceed the protection that YAMA_PTRACE gives:
Allows a process to send signals or trace processes outside its session.
Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist.
The description of the Linux YAMA LSM that I looked at as one more protection YAMA_SYMLINKS, there is no Solaris equivalent to this one that I can find. It is intended to protect against race conditions on symlinks in world-writable directories (eg /tmp). This is a nice protection but we don't have an equivalent of it in Solaris at this time but I think it could be implemented as another basic privilege.
Reminder on Solaris Basic Privileges
As a reminder basic privileges in Solaris are those which processes normally have because they were not normally considered to be security violations in the UNIX process model. A basic privilege can be removed from an SMF service in its method_credential section, from a users login session (usermod -K defaultpriv=basic,!file_link_any <username>). So there is no need to patch/rebuild/update the Solaris kernel to be able to take advantage of these. In fact you can even change a running process using ppriv(1).