hardening: use default ptrace scope on buildservers (!533) · Merge requests · Arch Linux / infrastructure · GitLab

Snippets Groups Projects

Due to an influx of spam, we have had to temporarily disable account registrations. Please write an email to accountsupport@archlinux.org, with your desired username, if you want to get access. Sorry for the inconvenience.

Merged Evangelos Foutras requested to merge remove-ptrace-hardening-from-buildservers into master 3 years ago

Viewing commit f6cbd3f8

Show latest version

1 file

+ 1

− 0

f6cbd3f8

hardening: use default ptrace scope on buildservers · f6cbd3f8

Evangelos Foutras authored 3 years ago

Making 'kernel.yama.ptrace_scope' more strict by setting it to '2'
causes failures in elfutils' test suite. While tentatively helpful
on other servers, it seems kind of unnecessary for a build server.

Fixes: #424 (to be reopened though, if more restrictions are found)

roles/hardening/tasks/main.yml

+ 1

− 0

@@ -7,6 +7,7 @@

- name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
  copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
  when: "'buildservers' not in group_names"
  notify:
    - apply sysctl settings