From 6e9d33b483245dc99ea5290c73dbe165406525aa Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 17 Jul 2024 13:10:59 +0200 Subject: [PATCH] Allow ptrace to any process of the same user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Allows users to attach GDB to their own processes, without requiring running the program with GDB from the start. It is only available in compute nodes, the storage nodes continue with the restricted settings. Reviewed-by: Aleix Boné --- m/bay/configuration.nix | 4 ++++ m/common/base/boot.nix | 4 ++++ m/lake2/configuration.nix | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/m/bay/configuration.nix b/m/bay/configuration.nix index 6aabe6bd..5f215cf1 100644 --- a/m/bay/configuration.nix +++ b/m/bay/configuration.nix @@ -9,6 +9,10 @@ # Select the this using the ID to avoid mismatches boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53562d"; + boot.kernel.sysctl = { + "kernel.yama.ptrace_scope" = lib.mkForce "1"; + }; + environment.systemPackages = with pkgs; [ ceph ]; diff --git a/m/common/base/boot.nix b/m/common/base/boot.nix index a3408ab1..0fb08559 100644 --- a/m/common/base/boot.nix +++ b/m/common/base/boot.nix @@ -19,6 +19,10 @@ boot.kernel.sysctl = { "kernel.perf_event_paranoid" = lib.mkDefault "-1"; + + # Allow ptracing (i.e. attach with GDB) any process of the same user, see: + # https://www.kernel.org/doc/Documentation/security/Yama.txt + "kernel.yama.ptrace_scope" = "0"; }; boot.kernelPackages = pkgs.linuxPackages_latest; diff --git a/m/lake2/configuration.nix b/m/lake2/configuration.nix index 04627a87..2a29ae7a 100644 --- a/m/lake2/configuration.nix +++ b/m/lake2/configuration.nix @@ -8,6 +8,10 @@ boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a"; + boot.kernel.sysctl = { + "kernel.yama.ptrace_scope" = lib.mkForce "1"; + }; + environment.systemPackages = with pkgs; [ ceph ];