diff options
| -rw-r--r-- | gnu/build/activation.scm | 13 | ||||
| -rw-r--r-- | gnu/system.scm | 3 |
2 files changed, 16 insertions, 0 deletions
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 64c3410baf..0c60355a1c 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -30,6 +30,7 @@ activate-/bin/sh activate-modprobe activate-firmware + activate-ptrace-attach activate-current-system)) ;;; Commentary: @@ -335,6 +336,18 @@ by itself, without having to resort to a \"user helper\"." (lambda (port) (display directory port)))) +(define (activate-ptrace-attach) + "Allow users to PTRACE_ATTACH their own processes. + +This works around a regression introduced in the default \"security\" policy +found in Linux 3.4 onward that prevents users from attaching to their own +processes--see Yama.txt in the Linux source tree for the rationale. This +sounds like an unacceptable restriction for little or no security +improvement." + (call-with-output-file "/proc/sys/kernel/yama/ptrace_scope" + (lambda (port) + (display 0 port)))) + (define %current-system ;; The system that is current (a symlink.) This is not necessarily the same diff --git a/gnu/system.scm b/gnu/system.scm index a91c7136da..6cf12df604 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -681,6 +681,9 @@ etc." (activate-firmware (string-append #$firmware "/lib/firmware")) + ;; Let users debug their own processes! + (activate-ptrace-attach) + ;; Run the services' activation snippets. ;; TODO: Use 'load-compiled'. (for-each primitive-load '#$actions) |