Allow ptrace to any process of the same user

Allows users to attach GDB to their own processes, without requiring running the program with GDB from the start. It is only available in compute nodes, the storage nodes continue with the restricted settings. Reviewed-by: Aleix Boné <abonerib@bsc.es>
2024-07-17 13:10:59 +02:00
parent 555879f04e
commit b57bb47aa6
3 changed files with 12 additions and 0 deletions
--- a/m/common/base/boot.nix
+++ b/m/common/base/boot.nix
@@ -19,6 +19,10 @@

  boot.kernel.sysctl = {
    "kernel.perf_event_paranoid" = lib.mkDefault "-1";
+
+    # Allow ptracing (i.e. attach with GDB) any process of the same user, see:
+    # https://www.kernel.org/doc/Documentation/security/Yama.txt
+    "kernel.yama.ptrace_scope" = "0";
  };

  boot.kernelPackages = pkgs.linuxPackages_latest;