diff options
Diffstat (limited to 'Documentation/security/Yama.txt')
| -rw-r--r-- | Documentation/security/Yama.txt | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt index 4f0b7896a21d..a9511f179069 100644 --- a/Documentation/security/Yama.txt +++ b/Documentation/security/Yama.txt | |||
| @@ -41,7 +41,12 @@ other process (and its descendents) are allowed to call PTRACE_ATTACH | |||
| 41 | against it. Only one such declared debugging process can exists for | 41 | against it. Only one such declared debugging process can exists for |
| 42 | each inferior at a time. For example, this is used by KDE, Chromium, and | 42 | each inferior at a time. For example, this is used by KDE, Chromium, and |
| 43 | Firefox's crash handlers, and by Wine for allowing only Wine processes | 43 | Firefox's crash handlers, and by Wine for allowing only Wine processes |
| 44 | to ptrace each other. | 44 | to ptrace each other. If a process wishes to entirely disable these ptrace |
| 45 | restrictions, it can call prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...) | ||
| 46 | so that any otherwise allowed process (even those in external pid namespaces) | ||
| 47 | may attach. | ||
| 48 | |||
| 49 | The sysctl settings are: | ||
| 45 | 50 | ||
| 46 | 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other | 51 | 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other |
| 47 | process running under the same uid, as long as it is dumpable (i.e. | 52 | process running under the same uid, as long as it is dumpable (i.e. |