https://bugzilla.suse.com/show_bug.cgi?id=1221763 https://bugzilla.suse.com/show_bug.cgi?id=1221763#c2 Michael Matz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jslaby@suse.com --- Comment #2 from Michael Matz --- Seems to have come in via https://bugzilla.suse.com/show_bug.cgi?id=1128245 CCing Jiri. Maybe it's only the support at all that came in via the above and not the default switch to "on"? Either way, I don't think having this on by default is a good idea, it prevents _each and all_ ptrace to non-childs (and hence debugging of running processes in general), when not being root. People who want system-wide ptrace separation (and for unknown reasons don't want to use real sandboxes, like separate PID namespaces!?#) can enable this on an opt-in basis. -- You are receiving this mail because: You are the assignee for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1221763 https://bugzilla.suse.com/show_bug.cgi?id=1221763#c4 Jiri Slaby changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |giuliano.belinassi@suse.com Flags| |needinfo?(giuliano.belinass | |i@suse.com) --- Comment #4 from Jiri Slaby --- (In reply to Giuliano Belinassi from comment #0)

Recent updates of tumbleweed broke `ptrace(PTRACE_ATTACH, ...)` when attaching to a process from the same user. This breaks attaching a debugger (gdb) to a process and userspace livepatching. A single line reproducer in a clean system is:

``` $ sleep 5000 & gdb -p $(pidof sleep) ```

If you see the following message:

``` Attaching to process 12606 ptrace: Operation not permitted. ``` This means ptrace is not working. As a contrast, running gdb with sudo works as intended.

Value of /proc/sys/kernel/yama/ptrace_scope: ``` $ cat /proc/sys/kernel/yama/ptrace_scope 1 ```

So this actually works as expected and was supposed to work like this forever. Could you clarify what "Recent updates of tumbleweed" broke this? -- You are receiving this mail because: You are the assignee for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1221763 https://bugzilla.suse.com/show_bug.cgi?id=1221763#c6 --- Comment #6 from Martin Jambor --- (In reply to Jiri Slaby from comment #4)

Could you clarify what "Recent updates of tumbleweed" broke this?

I'm not sure if it helps but the most recent TW that I can find where /proc/sys/kernel/yama/ptrace_scope still defaults to 0 is "20240209." For example TW with version "20240218" already defaults to 1. -- You are receiving this mail because: You are the assignee for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1221763 https://bugzilla.suse.com/show_bug.cgi?id=1221763#c8 Jiri Slaby changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|kernel-bugs@opensuse.org |jsegitz@suse.com Component|Kernel |Basesystem --- Comment #8 from Jiri Slaby --- Got it. /usr/lib/sysctl.d/52-yama.conf coming from aaa_base the change is: https://build.opensuse.org/package/rdiff/Base:System/aaa_base?linkrev=base&rev=772 coming from: https://github.com/openSUSE/aaa_base/commit/b59d2fdb3c03b1a85fd49d6f2f4b2b71... Without any explanation or reference. -- You are receiving this mail because: You are the assignee for the bug.