M gnu/build/activation.scm => gnu/build/activation.scm +13 -0
@@ 30,6 30,7 @@
activate-/bin/sh
activate-modprobe
activate-firmware
+ activate-ptrace-attach
activate-current-system))
;;; Commentary:
@@ 335,6 336,18 @@ by itself, without having to resort to a \"user helper\"."
(lambda (port)
(display directory port))))
+(define (activate-ptrace-attach)
+ "Allow users to PTRACE_ATTACH their own processes.
+
+This works around a regression introduced in the default \"security\" policy
+found in Linux 3.4 onward that prevents users from attaching to their own
+processes--see Yama.txt in the Linux source tree for the rationale. This
+sounds like an unacceptable restriction for little or no security
+improvement."
+ (call-with-output-file "/proc/sys/kernel/yama/ptrace_scope"
+ (lambda (port)
+ (display 0 port))))
+
�
(define %current-system
;; The system that is current (a symlink.) This is not necessarily the same
M gnu/system.scm => gnu/system.scm +3 -0
@@ 681,6 681,9 @@ etc."
(activate-firmware
(string-append #$firmware "/lib/firmware"))
+ ;; Let users debug their own processes!
+ (activate-ptrace-attach)
+
;; Run the services' activation snippets.
;; TODO: Use 'load-compiled'.
(for-each primitive-load '#$actions)