system: Allow users to PTRACE_ATTACH to their own processes.

* gnu/build/activation.scm (activate-ptrace-attach): New procedure.
* gnu/system.scm (operating-system-activation-script): Use it.
This commit is contained in:
Ludovic Courtès 2015-04-12 15:33:42 +02:00
parent ce6fc7d6a5
commit b158f1d751
2 changed files with 16 additions and 0 deletions

View File

@ -30,6 +30,7 @@
activate-/bin/sh activate-/bin/sh
activate-modprobe activate-modprobe
activate-firmware activate-firmware
activate-ptrace-attach
activate-current-system)) activate-current-system))
;;; Commentary: ;;; Commentary:
@ -335,6 +336,18 @@ by itself, without having to resort to a \"user helper\"."
(lambda (port) (lambda (port)
(display directory port)))) (display directory port))))
(define (activate-ptrace-attach)
"Allow users to PTRACE_ATTACH their own processes.
This works around a regression introduced in the default \"security\" policy
found in Linux 3.4 onward that prevents users from attaching to their own
processes--see Yama.txt in the Linux source tree for the rationale. This
sounds like an unacceptable restriction for little or no security
improvement."
(call-with-output-file "/proc/sys/kernel/yama/ptrace_scope"
(lambda (port)
(display 0 port))))
(define %current-system (define %current-system
;; The system that is current (a symlink.) This is not necessarily the same ;; The system that is current (a symlink.) This is not necessarily the same

View File

@ -681,6 +681,9 @@ etc."
(activate-firmware (activate-firmware
(string-append #$firmware "/lib/firmware")) (string-append #$firmware "/lib/firmware"))
;; Let users debug their own processes!
(activate-ptrace-attach)
;; Run the services' activation snippets. ;; Run the services' activation snippets.
;; TODO: Use 'load-compiled'. ;; TODO: Use 'load-compiled'.
(for-each primitive-load '#$actions) (for-each primitive-load '#$actions)