deploy/sysctl: absorb kernel.yama.ptrace_scope into the drop-in

Single source of truth for left4me sysctl tuning. The metadata entry in ckn-bw (sysctl/kernel/yama/ptrace_scope) is removed in lockstep; the live value is unchanged. Part of 2026-05-15-deployment-responsibility-design.md migration step 1 (canary).
2026-05-15 19:00:35 +02:00 · 2026-05-15 19:00:35 +02:00 · 949f1bae78
commit 949f1bae78
parent 672fd9660b
2 changed files with 6 additions and 0 deletions
--- a/deploy/files/etc/sysctl.d/99-left4me.conf
+++ b/deploy/files/etc/sysctl.d/99-left4me.conf
@ -34,3 +34,8 @@ net.core.default_qdisc = fq_codel
 # backups, package fetches, web-app responses) so a long flow does not push
 # the bottleneck queue ahead of game UDP. UDP srcds is unaffected.
 net.ipv4.tcp_congestion_control = bbr
+
+# Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces with
+# SystemCallFilter=~@debug + PrivateUsers=true in the gameserver unit.
+# See docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md.
+kernel.yama.ptrace_scope = 2
--- a/deploy/tests/test_example_units.py
+++ b/deploy/tests/test_example_units.py
@ -194,6 +194,7 @@ def test_sysctl_conf_present_with_perf_settings():
        "net.ipv4.udp_wmem_min = 16384",
        "net.core.default_qdisc = fq_codel",
        "net.ipv4.tcp_congestion_control = bbr",
+        "kernel.yama.ptrace_scope = 2",
    ):
        assert line in text, f"missing {line!r} in 99-left4me.conf"