Bug 1217051

Summary:	Enable ptrace_scope=1 by default on openSUSE Tumbleweed
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Archer Allstars <95kreaninw95>
Component:	Security	Assignee:	Johannes Segitz <jsegitz>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None	CC:	95kreaninw95
Version:	Current
Target Milestone:	---
Hardware:	64bit
OS:	openSUSE Tumbleweed
See Also:	https://bugzilla.suse.com/show_bug.cgi?id=1221763
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Archer Allstars 2023-11-13 01:06:43 UTC

Currently, on openSUSE Tumbleweed, ptrace_scope is disabled by default (ptrace_scope=0). This makes Chromium sandboxing status showing as no and red colored for both Ptrace Protection with Yama LSM entries.

Enabling ptrace_scope=1 this fixed the issue. And I think it's a security hardening for the system.

There's a request to enable this feature on SUSE 15 SP4: https://bugzilla.suse.com/show_bug.cgi?id=1198601

I am requesting this on openSUSE Tumbleweed.

For reference, ptrace_scope is enabled on Ubuntu since 10.10.

Comment 1 Johannes Segitz 2023-11-16 08:09:03 UTC

Yes, we should have this set to 1. That shouldn't break most use cases and improves security. I'll push for that

Comment 3 Johannes Segitz 2023-11-16 09:24:44 UTC

I opened a PR for this: https://github.com/openSUSE/aaa_base/pull/138

Comment 4 Archer Allstars 2023-11-19 18:03:14 UTC

ptrace_scope=1 has been merged upstream, see https://github.com/openSUSE/aaa_base/pull/138