https://bugzilla.suse.com/show_bug.cgi?id=1221763 https://bugzilla.suse.com/show_bug.cgi?id=1221763#c14 --- Comment #14 from Michael Matz <matz@suse.com> --- (In reply to Johannes Segitz from comment #10)
that's how it should be after the change. Users with different needs (which shouldn't be too many, not a lot of users do debugging of running processes) should change the sysctl setting
So, just to be sure I completely understand that: because "Archer Allstars" complains about chrome sandboxing showing stuff in "red" and somewhere says "no", the security team implemented this change without further discussion (or rather: after it actually got rejected in jira) and without clear documentation of how to get back a working system (or that such a far-reaching change was done at all, a .changes entry in aaa_base reading "Restrict ptrace with Yama LSM by default" goes unnoticed). Well, super. And there I thought the whole namespace container stuff was done for separation, just to see that the non-containerized distro now goes down the drain as well. So, how can I disable yama? The whole module, all of it, not just this ptrace_scope. I don't want to fiddle with it again if the security team decides to further "enhance security" by randomly enabling other good-sounding options like "disable syscalls". -- You are receiving this mail because: You are on the CC list for the bug.