|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# The ptrace system call is used for interprocess services,
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# debugging, tracing and profiling) of processes.
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
#
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# Usage of ptrace is restricted by normal user permissions. Normal
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# cannot send signals to or processes that are running set-uid or
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# usually be able to ptrace one another.
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
#
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# Fedora enables the Yama security mechanism which restricts ptrace
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# even further. Sysctl setting kernel.yama.ptrace_scope can have one
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
#
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# 0 - Normal ptrace security permissions.
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# 1 - Restricted ptrace. Only child processes plus normal permissions.
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# 3 - No attach. No process may call ptrace at all. Irrevocable.
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
#
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# kernel sources.
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
#
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# The default is 1., which allows tracing of child processes, but
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# gdb /path/to/program ...
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# Attaching to already running programs is NOT allowed:
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# gdb -p ...
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# This default setting is suitable for the common case, because it
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# stored only in memory.)
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
#
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# Developers and administrators might want to disable those protections
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# to be able to attach debuggers to existing processes. Use
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# sysctl kernel.yama.ptrace_scope=0
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# for change the setting temporarily, or copy this file to
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots.
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
|
|
Zbigniew Jędrzejewski-Szmek |
90aeee |
kernel.yama.ptrace_scope = 0
|