From 130b0b1c9c3553f544d572585ef6cb00ce9953f1 Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Fri, 15 May 2026 14:51:26 +0200
Subject: [PATCH] bundles/left4me: ship kernel.yama.ptrace_scope=2 sysctl
 drop-in

Belt-and-braces with the gameserver unit's SystemCallFilter=~@debug +
PrivateUsers=true. Currently applied by hand on left4.me (left over
from the hardening test plan's Test 9); landing in the bundle so it
survives bw apply and is reproducible on any future host.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 bundles/left4me/metadata.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py
index 1f96d50..88488ec 100644
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@@ -83,6 +83,17 @@ defaults = {
             '/etc/left4me',
         },
     },
+    'sysctl': {
+        # Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces
+        # with SystemCallFilter=~@debug + PrivateUsers=true in the gameserver
+        # unit. See:
+        #   left4me docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md
+        'kernel': {
+            'yama': {
+                'ptrace_scope': '2',
+            },
+        },
+    },
     'systemd-timers': {
         # Daily re-fetch of Steam Workshop metadata + .vpk downloads for any
         # item whose author published an update. The CLI just inserts a