system: Allow users to PTRACE_ATTACH to their own processes.
* gnu/build/activation.scm (activate-ptrace-attach): New procedure. * gnu/system.scm (operating-system-activation-script): Use it.
This commit is contained in:
parent
ce6fc7d6a5
commit
b158f1d751
|
@ -30,6 +30,7 @@
|
||||||
activate-/bin/sh
|
activate-/bin/sh
|
||||||
activate-modprobe
|
activate-modprobe
|
||||||
activate-firmware
|
activate-firmware
|
||||||
|
activate-ptrace-attach
|
||||||
activate-current-system))
|
activate-current-system))
|
||||||
|
|
||||||
;;; Commentary:
|
;;; Commentary:
|
||||||
|
@ -335,6 +336,18 @@ by itself, without having to resort to a \"user helper\"."
|
||||||
(lambda (port)
|
(lambda (port)
|
||||||
(display directory port))))
|
(display directory port))))
|
||||||
|
|
||||||
|
(define (activate-ptrace-attach)
|
||||||
|
"Allow users to PTRACE_ATTACH their own processes.
|
||||||
|
|
||||||
|
This works around a regression introduced in the default \"security\" policy
|
||||||
|
found in Linux 3.4 onward that prevents users from attaching to their own
|
||||||
|
processes--see Yama.txt in the Linux source tree for the rationale. This
|
||||||
|
sounds like an unacceptable restriction for little or no security
|
||||||
|
improvement."
|
||||||
|
(call-with-output-file "/proc/sys/kernel/yama/ptrace_scope"
|
||||||
|
(lambda (port)
|
||||||
|
(display 0 port))))
|
||||||
|
|
||||||
|
|
||||||
(define %current-system
|
(define %current-system
|
||||||
;; The system that is current (a symlink.) This is not necessarily the same
|
;; The system that is current (a symlink.) This is not necessarily the same
|
||||||
|
|
|
@ -681,6 +681,9 @@ etc."
|
||||||
(activate-firmware
|
(activate-firmware
|
||||||
(string-append #$firmware "/lib/firmware"))
|
(string-append #$firmware "/lib/firmware"))
|
||||||
|
|
||||||
|
;; Let users debug their own processes!
|
||||||
|
(activate-ptrace-attach)
|
||||||
|
|
||||||
;; Run the services' activation snippets.
|
;; Run the services' activation snippets.
|
||||||
;; TODO: Use 'load-compiled'.
|
;; TODO: Use 'load-compiled'.
|
||||||
(for-each primitive-load '#$actions)
|
(for-each primitive-load '#$actions)
|
||||||
|
|
Loading…
Reference in New Issue