From fcfc6ac149111df59ceea4477221c33de37042c3 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 17 Jul 2024 13:10:59 +0200 Subject: [PATCH] Allow ptrace to any process of the same user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Allows users to attach GDB to their own processes, without requiring running the program with GDB from the start. It is only available in compute nodes, the storage nodes continue with the restricted settings. Reviewed-by: Aleix Boné --- m/bay/configuration.nix | 4 ++++ m/common/base/boot.nix | 4 ++++ m/lake2/configuration.nix | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/m/bay/configuration.nix b/m/bay/configuration.nix index 6aabe6b..5f215cf 100644 --- a/m/bay/configuration.nix +++ b/m/bay/configuration.nix @@ -9,6 +9,10 @@ # Select the this using the ID to avoid mismatches boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53562d"; + boot.kernel.sysctl = { + "kernel.yama.ptrace_scope" = lib.mkForce "1"; + }; + environment.systemPackages = with pkgs; [ ceph ]; diff --git a/m/common/base/boot.nix b/m/common/base/boot.nix index a3408ab..0fb0855 100644 --- a/m/common/base/boot.nix +++ b/m/common/base/boot.nix @@ -19,6 +19,10 @@ boot.kernel.sysctl = { "kernel.perf_event_paranoid" = lib.mkDefault "-1"; + + # Allow ptracing (i.e. attach with GDB) any process of the same user, see: + # https://www.kernel.org/doc/Documentation/security/Yama.txt + "kernel.yama.ptrace_scope" = "0"; }; boot.kernelPackages = pkgs.linuxPackages_latest; diff --git a/m/lake2/configuration.nix b/m/lake2/configuration.nix index 04627a8..2a29ae7 100644 --- a/m/lake2/configuration.nix +++ b/m/lake2/configuration.nix @@ -8,6 +8,10 @@ boot.loader.grub.device = "/dev/disk/by-id/wwn-0x55cd2e414d53563a"; + boot.kernel.sysctl = { + "kernel.yama.ptrace_scope" = lib.mkForce "1"; + }; + environment.systemPackages = with pkgs; [ ceph ];