From 7161430a6000c4ff5e15a9a8c9519529655a1444 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 12 Oct 2025 02:27:48 +0000
Subject: [PATCH] Seperate `ptrace()` disabling into own file

---
 ...c_ptrace-disable.conf#security-misc-shared | 24 +++++++++++++++++++
 ...90-security-misc.conf#security-misc-shared |  4 +++-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared

diff --git a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
new file mode 100644
index 0000000..1047f88
--- /dev/null
+++ b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
@@ -0,0 +1,24 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Diable the usage of the ptrace() system call by all processes.
+## Restrict ptrace() as it enables programs to inspect and modify other active processes.
+## Prevents native code debugging which some programs use as a method to detect tampering.
+## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
+## https://en.wikipedia.org/wiki/Ptrace
+## https://grapheneos.org/features#attack-surface-reduction
+## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
+## https://github.com/netblue30/firejail/issues/2860 
+##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
+kernel.yama.ptrace_scope=3
\ No newline at end of file
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index 40d8eb7..9caedfe 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -241,7 +241,9 @@ kernel.io_uring_disabled=2
 ## KSPP=yes
 ## KSPP sets the sysctl.
 ##
-kernel.yama.ptrace_scope=3
+## See /usr/lib/sysctl.d/30_security_misc-ptrace-disable.conf for implementation.
+##
+#kernel.yama.ptrace_scope=3
 
 ## Maximize bits of entropy for improved effectiveness of mmap ASLR.
 ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).