What | Removed | Added |
---|---|---|
CC | jslaby@suse.com |
Seems to have come in via https://bugzilla.suse.com/show_bug.cgi?id=1128245 CCing Jiri. Maybe it's only the support at all that came in via the above and not the default switch to "on"? Either way, I don't think having this on by default is a good idea, it prevents _each and all_ ptrace to non-childs (and hence debugging of running processes in general), when not being root. People who want system-wide ptrace separation (and for unknown reasons don't want to use real sandboxes, like separate PID namespaces!?#) can enable this on an opt-in basis.