Product SiteDocumentation Site

10.4.13. Disable ptrace()

The ptrace() system call allows one process to observe and control the execution of another process and change its memory and registers. This call is used primarily by developers during debugging, for example when using the strace utility. When ptrace() is not needed, it can be disabled to improve system security. This can be done by enabling the deny_ptrace Boolean, which denies all processes, even those that are running in unconfined_t domains, from being able to use ptrace() on other processes.
The deny_ptrace Boolean is disabled by default. To enable it, run the setsebool -P deny_ptrace on command as the root user:
~]# setsebool -P deny_ptrace on
To verify if this Boolean is enabled, use the following command:
~]$ getsebool deny_ptrace
deny_ptrace --> on
To disable this Boolean, run the setsebool -P deny_ptrace off command as root:
~]# setsebool -P deny_ptrace off

Note

The setsebool -P command makes persistent changes. Do not use the -P option if you do not want changes to persist across reboots.
This Boolean influences only packages that are part of Fedora. Consequently, third-party packages could still use the ptrace() system call. To list all domains that are allowed to use ptrace(), run the following command. Note that the setools-console package provides the sesearch utility and that the package is not installed by default.
~]# sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace | cut -d ' ' -f 5