02/02: system: Allow users to PTRACE_ATTACH to their own processes.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: system: Allow users to PTRACE_ATTACH to their own processes.

From:	Ludovic Court�s
Subject:	02/02: system: Allow users to PTRACE_ATTACH to their own processes.
Date:	Sun, 12 Apr 2015 13:33:57 +0000

civodul pushed a commit to branch master
in repository guix.

commit b158f1d751b17acc1700fce9777d2b85ffa8e914
Author: Ludovic Courtès <address@hidden>
Date:   Sun Apr 12 15:33:42 2015 +0200

    system: Allow users to PTRACE_ATTACH to their own processes.
    
    * gnu/build/activation.scm (activate-ptrace-attach): New procedure.
    * gnu/system.scm (operating-system-activation-script): Use it.
---
 gnu/build/activation.scm |   13 +++++++++++++
 gnu/system.scm           |    3 +++
 2 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 64c3410..0c60355 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -30,6 +30,7 @@
             activate-/bin/sh
             activate-modprobe
             activate-firmware
+            activate-ptrace-attach
             activate-current-system))
 
 ;;; Commentary:
@@ -335,6 +336,18 @@ by itself, without having to resort to a \"user helper\"."
     (lambda (port)
       (display directory port))))
 
+(define (activate-ptrace-attach)
+  "Allow users to PTRACE_ATTACH their own processes.
+
+This works around a regression introduced in the default \"security\" policy
+found in Linux 3.4 onward that prevents users from attaching to their own
+processes--see Yama.txt in the Linux source tree for the rationale.  This
+sounds like an unacceptable restriction for little or no security
+improvement."
+  (call-with-output-file "/proc/sys/kernel/yama/ptrace_scope"
+    (lambda (port)
+      (display 0 port))))
+
 
 (define %current-system
   ;; The system that is current (a symlink.)  This is not necessarily the same
diff --git a/gnu/system.scm b/gnu/system.scm
index a91c713..6cf12df 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -681,6 +681,9 @@ etc."
                     (activate-firmware
                      (string-append #$firmware "/lib/firmware"))
 
+                    ;; Let users debug their own processes!
+                    (activate-ptrace-attach)
+
                     ;; Run the services' activation snippets.
                     ;; TODO: Use 'load-compiled'.
                     (for-each primitive-load '#$actions)

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (4c2a38c -> b158f1d), Ludovic Court�s, 2015/04/12
- 01/02: build: Build and install (guix build-system haskell)., Ludovic Court�s, 2015/04/12
- 02/02: system: Allow users to PTRACE_ATTACH to their own processes., Ludovic Court�s <=

Prev by Date: 01/02: build: Build and install (guix build-system haskell).
Next by Date: branch master updated (b158f1d -> 4c9050c)
Previous by thread: 01/02: build: Build and install (guix build-system haskell).
Next by thread: branch master updated (b158f1d -> 4c9050c)
Index(es):
- Date
- Thread