Allow attaching to non-child processes by default

The inability to run strace or gdb is the kind of developer-unfriendliness that we're used to from OS X, let's not do it on NixOS. This restriction can be re-enabled by setting boot.kernel.sysctl."kernel.yama.ptrace_scope" = 1; It might be nice to have a NixOS module for enabling hardened defaults. Xref #14392. Thanks @abbradar.
NixOS · Mar 21, 2017 · 86721a5 · 86721a5 · aneeshusa · Mar 22, 2017
1 parent 78bb734
commit 86721a5
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 9 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -95,15 +95,6 @@ following incompatible changes:</para>
     </para>
   </listitem>
 
-  <listitem>
-    <para>
-      The Yama LSM is now enabled by default in the kernel,
-      which prevents ptracing non-child processes.
-      This means you will not be able to attach gdb to an existing process,
-      but will need to start that process from gdb (so it is a child).
-    </para>
-  </listitem>
-
   <listitem>
     <para>
       The <literal>stripHash</literal> bash function in <literal>stdenv</literal>

diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix
@@ -64,5 +64,9 @@ in
     # Removed under grsecurity.
     boot.kernel.sysctl."kernel.kptr_restrict" =
       if (config.boot.kernelPackages.kernel.features.grsecurity or false) then null else 1;
+
+    # Disable YAMA by default to allow easy debugging.
+    boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
+
   };
 }