I can’t debug programs with gdb, because I get error “warning: Could not trace the inferior process.warning: ptrace: Operation not permitted”. One of the solution is to edit /proc/sys/kernel/yama/ptrace_scope , but I can’t - Error writing - invalid argument. Even with root
sudo gdb also doesn’t work
It is an intentional security setting by security-misc but can be undone.
In sysmaint session create a configuration file /etc/sysctl.d/50_user.conf with content:
kernel.yama.ptrace_scope=0
(or other number as per kernel sysctl manual)
Re-generate initial ramdisk. [1]
sudo dracut -f
Then reboot. Should fix this.
EDIT: Added instructions to re-generate initial ramdisk.
[1] Due to dracut early sysctl parsing.
1 Like
Thanks, you saved me a lot of time
This works for me when I boot into 6.12.57. But when I boot into the latest kernel 6.12.63 (everything else is the same), it seems to ignore the config file and keep ptrace_scope as 3
I found the cause, in 6.12.63 /etc/sysctl.d/50_user.conf is embedded in the initrd, and takes affect after runing dracut -f to regenerate the initrd.
In case anyone else is using for he same thing, I set that as I want to use incus containers. lxcfs needs ptrace_scope of 2 or lower to work, it gets errors with 3. incus can make containers without lxcfs but it’s probably more secure with it as then containers get their own view of /proc rather than the host one.
Also for incus add to /etc/permission-hardener.d/30_user.conf:
/usr/bin/newgidmap exactwhitelist
/usr/bin/newuidmap exactwhitelist
then do permission-hardener disable /usr/bin/newuidmap and permission-hardener disable /usr/bin/newgidmap
and add to /usr/bin/user-firewall-script:
nft insert rule inet filter forward index 0 iifname incusbr0 counter accept
nft insert rule inet filter forward index 0 oifname incusbr0 counter accept
nft insert rule inet filter output index 0 oifname incusbr0 counter accept
nft insert rule inet filter input index 0 iifname incusbr0 counter accept
Now documented here:
1 Like