From b158f1d751b17acc1700fce9777d2b85ffa8e914 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Sun, 12 Apr 2015 15:33:42 +0200
Subject: system: Allow users to PTRACE_ATTACH to their own processes.

* gnu/build/activation.scm (activate-ptrace-attach): New procedure.
* gnu/system.scm (operating-system-activation-script): Use it.
---
 gnu/build/activation.scm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'gnu/build/activation.scm')

diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 64c3410baf..0c60355a1c 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -30,6 +30,7 @@
             activate-/bin/sh
             activate-modprobe
             activate-firmware
+            activate-ptrace-attach
             activate-current-system))
 
 ;;; Commentary:
@@ -335,6 +336,18 @@ by itself, without having to resort to a \"user helper\"."
     (lambda (port)
       (display directory port))))
 
+(define (activate-ptrace-attach)
+  "Allow users to PTRACE_ATTACH their own processes.
+
+This works around a regression introduced in the default \"security\" policy
+found in Linux 3.4 onward that prevents users from attaching to their own
+processes--see Yama.txt in the Linux source tree for the rationale.  This
+sounds like an unacceptable restriction for little or no security
+improvement."
+  (call-with-output-file "/proc/sys/kernel/yama/ptrace_scope"
+    (lambda (port)
+      (display 0 port))))
+
 
 (define %current-system
   ;; The system that is current (a symlink.)  This is not necessarily the same
-- 
cgit v1.2.3