path: root/Documentation/security/Yama.txt
diff options
Diffstat (limited to 'Documentation/security/Yama.txt')
1 files changed, 9 insertions, 1 deletions
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt
index a9511f1..e369de2 100644
--- a/Documentation/security/Yama.txt
+++ b/Documentation/security/Yama.txt
@@ -34,7 +34,7 @@ parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still
work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID"
still work as root).
-For software that has defined application-specific relationships
+In mode 1, software that has defined application-specific relationships
between a debugging process and its inferior (crash handlers, etc),
prctl(PR_SET_PTRACER, pid, ...) can be used. An inferior can declare which
other process (and its descendents) are allowed to call PTRACE_ATTACH
@@ -46,6 +46,8 @@ restrictions, it can call prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...)
so that any otherwise allowed process (even those in external pid namespaces)
may attach.
+These restrictions do not change how ptrace via PTRACE_TRACEME operates.
The sysctl settings are:
0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other
@@ -60,6 +62,12 @@ The sysctl settings are:
inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare
an allowed debugger PID to call PTRACE_ATTACH on the inferior.
+2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace
+3 - no attach: no processes may use ptrace with PTRACE_ATTACH. Once set,
+ this sysctl cannot be changed to a lower value.
The original children-only logic was based on the restrictions in grsecurity.