Comment # 14 on bug 1221763 from Michael Matz

(In reply to Johannes Segitz from comment #10)
> that's how it should be after the change. Users with different needs (which
> shouldn't be too many, not a lot of users do debugging of running processes)
> should change the sysctl setting

So, just to be sure I completely understand that: because "Archer Allstars"
complains about chrome sandboxing showing stuff in "red" and somewhere says
"no",
the security team implemented this change without further discussion (or
rather:
after it actually got rejected in jira) and without clear documentation of how
to
get back a working system (or that such a far-reaching change was done at all,
a
.changes entry in aaa_base reading "Restrict ptrace with Yama LSM by default"
goes
unnoticed).

Well, super.  And there I thought the whole namespace container stuff was done
for separation, just to see that the non-containerized distro now goes down the
drain as well.

So, how can I disable yama?  The whole module, all of it, not just this
ptrace_scope.  I don't want to fiddle with it again if the security team
decides to
further "enhance security" by randomly enabling other good-sounding options
like "disable syscalls".