Merge pull request #166 from jsegitz/1221763

yama-enable-ptrace: enforce changed behavior upon installation (bsc#1221763)
openSUSE · Sep 6, 2024 · 742565b · 742565b
2 parents 34054fc + b97b4c4
commit 742565b
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/aaa_base.spec b/aaa_base.spec
@@ -193,6 +193,22 @@ fi
 %postun extras
 %service_del_postun backup-rpmdb.service backup-rpmdb.timer backup-sysconfig.service backup-sysconfig.timer check-battery.service check-battery.timer
 
+%post yama-enable-ptrace
+# check if yama is active
+if [ -f /proc/sys/kernel/yama/ptrace_scope ]; then
+  # automatically disable ptrace protection upon install if systemd is not
+  # available. Usually system will automatically apply the setting
+  if ! type -p systemd-notify > /dev/null || ! systemd-notify --booted; then
+    # don't do it on transactional systems to avoid altering the state of the
+    # system before reboot
+    if [ -z "${TRANSACTIONAL_UPDATE}" ]; then
+      # can't use sysctl since that would cause us to require procps, which is
+      # bad for container size
+      echo 0 > /proc/sys/kernel/yama/ptrace_scope || :
+    fi
+  fi
+fi
+
 %files
 %license COPYING
 %ghost %config(noreplace) /etc/sysctl.conf