cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

bundles/left4me: ship kernel.yama.ptrace_scope=2 sysctl drop-in

Browse source 
Belt-and-braces with the gameserver unit's SystemCallFilter=~@debug +
PrivateUsers=true. Currently applied by hand on left4.me (left over
from the hardening test plan's Test 9); landing in the bundle so it
survives bw apply and is reproducible on any future host.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
CroneKorkN 2026-05-15 14:51:26 +02:00
parent c6721e7545
commit 130b0b1c9c
Signed by: cronekorkn
SSH key fingerprint: SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
bundles/left4me/metadata.py
View file

@ -83,6 +83,17 @@ defaults = {
'/etc/left4me', '/etc/left4me',
}, },
}, },
'sysctl': {
# Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces
# with SystemCallFilter=~@debug + PrivateUsers=true in the gameserver
# unit. See:
# left4me docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md
'kernel': {
'yama': {
'ptrace_scope': '2',
},
},
},
'systemd-timers': { 'systemd-timers': {
# Daily re-fetch of Steam Workshop metadata + .vpk downloads for any # Daily re-fetch of Steam Workshop metadata + .vpk downloads for any
# item whose author published an update. The CLI just inserts a # item whose author published an update. The CLI just inserts a