From 949f1bae78ce3b4b865981bb3e17e7ab912e89f0 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Fri, 15 May 2026 19:00:35 +0200 Subject: [PATCH] deploy/sysctl: absorb kernel.yama.ptrace_scope into the drop-in Single source of truth for left4me sysctl tuning. The metadata entry in ckn-bw (sysctl/kernel/yama/ptrace_scope) is removed in lockstep; the live value is unchanged. Part of 2026-05-15-deployment-responsibility-design.md migration step 1 (canary). --- deploy/files/etc/sysctl.d/99-left4me.conf | 5 +++++ deploy/tests/test_example_units.py | 1 + 2 files changed, 6 insertions(+) diff --git a/deploy/files/etc/sysctl.d/99-left4me.conf b/deploy/files/etc/sysctl.d/99-left4me.conf index 0860833..e18daa6 100644 --- a/deploy/files/etc/sysctl.d/99-left4me.conf +++ b/deploy/files/etc/sysctl.d/99-left4me.conf @@ -34,3 +34,8 @@ net.core.default_qdisc = fq_codel # backups, package fetches, web-app responses) so a long flow does not push # the bottleneck queue ahead of game UDP. UDP srcds is unaffected. net.ipv4.tcp_congestion_control = bbr + +# Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces with +# SystemCallFilter=~@debug + PrivateUsers=true in the gameserver unit. +# See docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md. +kernel.yama.ptrace_scope = 2 diff --git a/deploy/tests/test_example_units.py b/deploy/tests/test_example_units.py index 4a1e606..6a14a92 100644 --- a/deploy/tests/test_example_units.py +++ b/deploy/tests/test_example_units.py @@ -194,6 +194,7 @@ def test_sysctl_conf_present_with_perf_settings(): "net.ipv4.udp_wmem_min = 16384", "net.core.default_qdisc = fq_codel", "net.ipv4.tcp_congestion_control = bbr", + "kernel.yama.ptrace_scope = 2", ): assert line in text, f"missing {line!r} in 99-left4me.conf"