Bug#1025071: linux-image-5.10.0-18-amd64: please re-enable ptrace protection (yama)
Package: src:linux
Version: 5.10.140-1
Severity: wishlist
Tags: patch
X-Debbugs-Cc: niklas@ytvwld.de
Dear Maintainer,
#704750 in 2013 requested Yama – a kernel feature that restricts PTRACE_ATTACH
to parent processes and root (by default, it can be configured).
#712740 a few months later requested it to be disabled by default because it
prevents some debugging operations.
This is done via the yama-disable-by-default.patch.
With this bug I want to request dropping this patch. Yama is a security
feature: without it any process in a user session can to attach to (almost) any
other one run by the same user.
Yes, it makes debugging a bit harder, but
a) most users don't debug stuff
b) child processes are unaffected (so gdb myprog still works)
c) it can be easily disabled with a sysctl
d) you could run your debugger as root instead (or with CAP_SYS_PTRACE)
As an aside: Ubuntu had this enabled for years now (10.10, I think).
(Though they also patch e.g. gdb to produce better error messages, see ptrace-
error-verbosity.patch.)
-- Package-specific info:
** Version:
Linux version 5.10.0-18-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.140-1 (2022-09-02)
** Command line:
BOOT_IMAGE=/boot/vmlinuz-5.10.0-18-amd64 root=UUID=ba480852-3ea3-404c-a579-b7f9763d2150 ro quiet cryptdevice=UUID=f609152f-f025-4840-b84f-63e3051da79a:luks-f609152f-f025-4840-b84f-63e3051da79a root=/dev/mapper/luks-f609152f-f025-4840-b84f-63e3051da79a splash
** Not tainted
** Kernel log:
[ 8.202615] systemd[1]: Detected virtualization oracle.
[ 8.202620] systemd[1]: Detected architecture x86-64.
[ 8.204574] systemd[1]: Set hostname to <user-virtualbox>.
[ 8.519013] systemd[1]: /lib/systemd/system/plymouth-start.service:16: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
[ 8.542226] systemd[1]: Queued start job for default target Graphical Interface.
[ 8.543920] systemd[1]: Created slice system-getty.slice.
[ 8.544185] systemd[1]: Created slice system-modprobe.slice.
[ 8.544435] systemd[1]: Created slice Cryptsetup Units Slice.
[ 8.544793] systemd[1]: Created slice system-systemd\x2dfsck.slice.
[ 8.544993] systemd[1]: Created slice User and Session Slice.
[ 8.545076] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 8.545268] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point.
[ 8.545345] systemd[1]: Reached target User and Group Name Lookups.
[ 8.545384] systemd[1]: Reached target Remote File Systems.
[ 8.545419] systemd[1]: Reached target Slices.
[ 8.545458] systemd[1]: Reached target Swap.
[ 8.545586] systemd[1]: Listening on Syslog Socket.
[ 8.545709] systemd[1]: Listening on fsck to fsckd communication Socket.
[ 8.545776] systemd[1]: Listening on initctl Compatibility Named Pipe.
[ 8.546127] systemd[1]: Listening on Journal Audit Socket.
[ 8.546249] systemd[1]: Listening on Journal Socket (/dev/log).
[ 8.546423] systemd[1]: Listening on Journal Socket.
[ 8.549582] systemd[1]: Listening on udev Control Socket.
[ 8.549804] systemd[1]: Listening on udev Kernel Socket.
[ 8.552122] systemd[1]: Mounting Huge Pages File System...
[ 8.552813] systemd[1]: Mounting POSIX Message Queue File System...
[ 8.553894] systemd[1]: Mounting Kernel Debug File System...
[ 8.555691] systemd[1]: Mounting Kernel Trace File System...
[ 8.558937] systemd[1]: Starting Set the console keyboard layout...
[ 8.565797] systemd[1]: Starting Create list of static device nodes for the current kernel...
[ 8.567008] systemd[1]: Starting Load Kernel Module configfs...
[ 8.569144] systemd[1]: Starting Load Kernel Module drm...
[ 8.583414] systemd[1]: Starting Load Kernel Module fuse...
[ 8.594530] systemd[1]: Condition check resulted in Set Up Additional Binary Formats being skipped.
[ 8.594599] systemd[1]: Condition check resulted in File System Check on Root Device being skipped.
[ 8.596588] systemd[1]: Starting Journal Service...
[ 8.612296] systemd[1]: Starting Load Kernel Modules...
[ 8.621490] systemd[1]: Starting Remount Root and Kernel File Systems...
[ 8.625029] fuse: init (API version 7.32)
[ 8.625929] systemd[1]: Starting Coldplug All udev Devices...
[ 8.628335] systemd[1]: Mounted Huge Pages File System.
[ 8.647053] systemd[1]: Mounted POSIX Message Queue File System.
[ 8.651777] systemd[1]: Mounted Kernel Debug File System.
[ 8.671123] systemd[1]: Mounted Kernel Trace File System.
[ 8.671853] systemd[1]: Finished Set the console keyboard layout.
[ 8.672798] systemd[1]: Finished Create list of static device nodes for the current kernel.
[ 8.675761] systemd[1]: modprobe@configfs.service: Succeeded.
[ 8.675938] systemd[1]: Finished Load Kernel Module configfs.
[ 8.676426] systemd[1]: modprobe@drm.service: Succeeded.
[ 8.676633] systemd[1]: Finished Load Kernel Module drm.
[ 8.677786] systemd[1]: modprobe@fuse.service: Succeeded.
[ 8.678427] systemd[1]: Finished Load Kernel Module fuse.
[ 8.682240] systemd[1]: Mounting FUSE Control File System...
[ 8.685325] systemd[1]: Mounting Kernel Configuration File System...
[ 8.687781] systemd[1]: Mounted FUSE Control File System.
[ 8.693573] systemd[1]: Mounted Kernel Configuration File System.
[ 8.697714] EXT4-fs (dm-0): re-mounted. Opts: (null)
[ 8.699453] systemd[1]: Finished Remount Root and Kernel File Systems.
[ 8.710793] systemd[1]: Condition check resulted in Rebuild Hardware Database being skipped.
[ 8.710843] systemd[1]: Condition check resulted in Platform Persistent Storage Archival being skipped.
[ 8.714391] systemd[1]: Starting Load/Save Random Seed...
[ 8.719155] systemd[1]: Starting Create System Users...
[ 8.738244] lp: driver loaded but no devices found
[ 8.752724] ppdev: user-space parallel port driver
[ 8.790620] systemd[1]: Finished Load/Save Random Seed.
[ 8.790869] systemd[1]: Condition check resulted in First Boot Complete being skipped.
[ 8.797575] systemd[1]: Finished Create System Users.
[ 8.799195] systemd[1]: Starting Create Static Device Nodes in /dev...
[ 8.801809] systemd[1]: Finished Load Kernel Modules.
[ 8.805460] systemd[1]: Starting Apply Kernel Variables...
[ 8.839446] systemd[1]: Finished Apply Kernel Variables.
[ 8.849296] systemd[1]: Started Journal Service.
[ 8.897323] systemd-journald[318]: Received client request to flush runtime journal.
[ 9.386281] ACPI: AC Adapter [AC] (on-line)
[ 9.433192] vboxguest: host-version: 6.1.38r153438 0x8000000f
[ 9.446571] vbg_heartbeat_init: Setting up heartbeat to trigger every 2000 milliseconds
[ 9.446782] input: VirtualBox mouse integration as /devices/pci0000:00/0000:00:04.0/input/input7
[ 9.468172] vboxguest: misc device minor 61, IRQ 20, I/O port c140, MMIO at 0x00000000e1000000 (size 0x0000000000400000)
[ 9.501238] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 9.501305] sr 1:0:0:0: Attached scsi generic sg1 type 5
[ 9.556626] pstore: Using crash dump compression: deflate
[ 9.556633] pstore: Registered efi as persistent store backend
[ 9.591759] input: PC Speaker as /devices/platform/pcspkr/input/input8
[ 9.949034] snd_intel8x0 0000:00:05.0: allow list rate for 1028:0177 is 48000
[ 10.226637] audit: type=1400 audit(1669733952.355:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=413 comm="apparmor_parser"
[ 10.234672] audit: type=1400 audit(1669733952.363:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=415 comm="apparmor_parser"
[ 10.327393] audit: type=1400 audit(1669733952.455:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince" pid=416 comm="apparmor_parser"
[ 10.327397] audit: type=1400 audit(1669733952.455:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince//sanitized_helper" pid=416 comm="apparmor_parser"
[ 10.327399] audit: type=1400 audit(1669733952.455:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince-previewer" pid=416 comm="apparmor_parser"
[ 10.327401] audit: type=1400 audit(1669733952.455:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince-previewer//sanitized_helper" pid=416 comm="apparmor_parser"
[ 10.327402] audit: type=1400 audit(1669733952.455:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince-thumbnailer" pid=416 comm="apparmor_parser"
[ 10.446607] audit: type=1400 audit(1669733952.575:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice" pid=417 comm="apparmor_parser"
[ 10.446618] audit: type=1400 audit(1669733952.575:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice//gpg" pid=417 comm="apparmor_parser"
[ 10.456479] audit: type=1400 audit(1669733952.583:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/libexec/ibus-setup-hangul" pid=418 comm="apparmor_parser"
[ 11.389158] e1000: enp0s3 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 11.389483] IPv6: ADDRCONF(NETDEV_CHANGE): enp0s3: link becomes ready
[ 18.939471] rfkill: input handler disabled
[ 101.864280] systemd-journald[318]: File /var/log/journal/175d12fcaa4f4399b13b80431ab779aa/user-1000.journal corrupted or uncleanly shut down, renaming and replacing.
[ 102.104016] rfkill: input handler enabled
[ 107.130435] rfkill: input handler disabled
** Model information
sys_vendor: innotek GmbH
product_name: VirtualBox
product_version: 1.2
chassis_vendor: Oracle Corporation
chassis_version:
bios_vendor: innotek GmbH
bios_version: VirtualBox
board_vendor: Oracle Corporation
board_name: VirtualBox
board_version: 1.2
** Loaded modules:
rfkill
nls_ascii
nls_cp437
vfat
fat
joydev
snd_intel8x0
snd_ac97_codec
ac97_bus
pcspkr
efi_pstore
snd_pcm
serio_raw
snd_timer
sg
snd
soundcore
vboxguest
evdev
ac
msr
parport_pc
ppdev
lp
parport
fuse
configfs
efivarfs
ip_tables
x_tables
autofs4
ext4
crc16
mbcache
jbd2
btrfs
blake2b_generic
dm_crypt
dm_mod
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
async_tx
xor
raid6_pq
libcrc32c
crc32c_generic
raid1
raid0
multipath
linear
md_mod
hid_generic
usbhid
hid
crc32_pclmul
crc32c_intel
vmwgfx
sd_mod
t10_pi
crc_t10dif
crct10dif_generic
sr_mod
crct10dif_pclmul
crct10dif_common
cdrom
ghash_clmulni_intel
ttm
ahci
ohci_pci
drm_kms_helper
libahci
ehci_pci
aesni_intel
cec
libata
ohci_hcd
ehci_hcd
drm
libaes
crypto_simd
usbcore
cryptd
glue_helper
psmouse
scsi_mod
i2c_piix4
usb_common
e1000
video
button
** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02)
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
00:02.0 VGA compatible controller [0300]: VMware SVGA II Adapter [15ad:0405] (prog-if 00 [VGA controller])
Subsystem: VMware SVGA II Adapter [15ad:0405]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Interrupt: pin A routed to IRQ 18
Region 0: I/O ports at c170 [size=16]
Region 1: Memory at e0000000 (32-bit, prefetchable) [size=16M]
Region 2: Memory at e1400000 (32-bit, non-prefetchable) [size=2M]
Expansion ROM at 000c0000 [virtual] [disabled] [size=128K]
Kernel driver in use: vmwgfx
Kernel modules: vmwgfx
00:03.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet Controller [8086:100e] (rev 02)
Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64 (63750ns min)
Interrupt: pin A routed to IRQ 19
Region 0: Memory at e1600000 (32-bit, non-prefetchable) [size=128K]
Region 2: I/O ports at c190 [size=8]
Capabilities: <access denied>
Kernel driver in use: e1000
Kernel modules: e1000
00:04.0 System peripheral [0880]: InnoTek Systemberatung GmbH VirtualBox Guest Service [80ee:cafe]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 20
Region 0: I/O ports at c140 [size=32]
Region 1: Memory at e1000000 (32-bit, non-prefetchable) [size=4M]
Region 2: Memory at e1620000 (32-bit, prefetchable) [size=16K]
Kernel driver in use: vboxguest
Kernel modules: vboxguest
00:05.0 Multimedia audio controller [0401]: Intel Corporation 82801AA AC'97 Audio Controller [8086:2415] (rev 01)
Subsystem: Dell 82801AA AC'97 Audio Controller [1028:0177]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Interrupt: pin A routed to IRQ 21
Region 0: I/O ports at c000 [size=256]
Region 1: I/O ports at c100 [size=64]
Kernel driver in use: snd_intel8x0
Kernel modules: snd_intel8x0
00:06.0 USB controller [0c03]: Apple Inc. KeyLargo/Intrepid USB [106b:003f] (prog-if 10 [OHCI])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Interrupt: pin A routed to IRQ 22
Region 0: Memory at e1627000 (32-bit, non-prefetchable) [size=4K]
Kernel driver in use: ohci-pci
Kernel modules: ohci_pci
00:07.0 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 08)
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 9
Kernel driver in use: piix4_smbus
Kernel modules: i2c_piix4
00:0b.0 USB controller [0c03]: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB2 EHCI Controller [8086:265c] (prog-if 20 [EHCI])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 19
Region 0: Memory at e1626000 (32-bit, non-prefetchable) [size=4K]
Kernel driver in use: ehci-pci
Kernel modules: ehci_pci
00:0d.0 SATA controller [0106]: Intel Corporation 82801HM/HEM (ICH8M/ICH8M-E) SATA Controller [AHCI mode] [8086:2829] (rev 02) (prog-if 01 [AHCI 1.0])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Interrupt: pin A routed to IRQ 21
Region 0: I/O ports at c188 [size=8]
Region 1: I/O ports at c19c [size=4]
Region 2: I/O ports at c180 [size=8]
Region 3: I/O ports at c198 [size=4]
Region 4: I/O ports at c160 [size=16]
Region 5: Memory at e1624000 (32-bit, non-prefetchable) [size=8K]
Capabilities: <access denied>
Kernel driver in use: ahci
Kernel modules: ahci
** USB devices:
not available
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-18-amd64 (SMP w/1 CPU thread)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-5.10.0-18-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.140
ii kmod 28-1
ii linux-base 4.6
Versions of packages linux-image-5.10.0-18-amd64 recommends:
ii apparmor 2.13.6-10
ii firmware-linux-free 20200122-1
Versions of packages linux-image-5.10.0-18-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-efi-amd64 2.06-3~deb11u1
pn linux-doc-5.10 <none>
Versions of packages linux-image-5.10.0-18-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: