bundles/left4me: ship kernel.yama.ptrace_scope=2 sysctl drop-in

Belt-and-braces with the gameserver unit's SystemCallFilter=~@debug + PrivateUsers=true. Currently applied by hand on left4.me (left over from the hardening test plan's Test 9); landing in the bundle so it survives bw apply and is reproducible on any future host. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 14:51:26 +02:00 · 2026-05-15 14:51:26 +02:00 · 130b0b1c9c
commit 130b0b1c9c
parent c6721e7545
1 changed files with 11 additions and 0 deletions
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@ -83,6 +83,17 @@ defaults = {
            '/etc/left4me',
        },
    },
+    'sysctl': {
+        # Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces
+        # with SystemCallFilter=~@debug + PrivateUsers=true in the gameserver
+        # unit. See:
+        #   left4me docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md
+        'kernel': {
+            'yama': {
+                'ptrace_scope': '2',
+            },
+        },
+    },
    'systemd-timers': {
        # Daily re-fetch of Steam Workshop metadata + .vpk downloads for any
        # item whose author published an update. The CLI just inserts a