Option to disable ptrace_scope security flag.
giulianobelinassi opened this issue · comments
OpenSUSE Tumbleweed introduced a YAMA option as default to disable ptrace
of sibling processes. This affects the behavior of gdb and Userspace Livepatching. We have two options in this case:
- Run the tests as root.
- Disable
ptrace_scope
by running:
sudo echo 0 > /proc/sys/kernel/yama/ptrace_scope
or setting kernel.yama.ptrace_scope = 0
in /etc/sysctl.conf
.
This problem comes from this openSUSE bug bsc#1221763
What we expect is an option to disable the ptrace_scope
flag in the *.spec
file, so we can run the tests of gdb and libpulp as expected.
A third, intermediate option is to use linux capabilities.
I've written a script using capsh, submitted here, that I used to run the gdb testsuite.
It's based on an example found here.
The benefits of this approach are:
- you don't run tests with full root permissions (although you still need root permission to obtain the CAP_SYS_PTRACE capability).
- you don't change system-wide settings.
the kernel obs build package could just ship the sysctl file
this is a content decision, please follow up with code stream maintainer as already happening in https://bugzilla.suse.com/show_bug.cgi?id=1221763