From b04828f858fa6d101099773d3156841fd6d33b6f Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Thu, 18 Jul 2024 11:01:41 +1000
Subject: [PATCH] Disable the usage of `ptrace()` by all processes

---
 README.md                               | 5 ++---
 usr/lib/sysctl.d/990-security-misc.conf | 6 ++----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index b6aa965..cbd2530 100644
--- a/README.md
+++ b/README.md
@@ -45,9 +45,8 @@ space, user space, core dumps, and swap space.
 
 - Disable asynchronous I/O (when using Linux kernel version >= 6.6).
 
-- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
-  enables programs to inspect and modify other active processes. Provide the
-  option to entirely disable the use of `ptrace()` for all processes.
+- Disable the usage of `ptrace()` by all processes as it enables programs to
+  inspect and modify other active processes.
 
 - Prevent hardlink and symlink TOCTOU races in world-writable directories.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 60440e5..1131b77 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -128,7 +128,7 @@ kernel.io_uring_disabled=2
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
 
-## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
+## Disable the usage of ptrace() system calls by all processes.
 ## Limit ptrace() as it enables programs to inspect and modify other active processes.
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
@@ -139,9 +139,7 @@ kernel.io_uring_disabled=2
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
 ## https://github.com/netblue30/firejail/issues/2860
 ##
-## It is possible to harden further by disabling ptrace() for all users, see documentation.
-##
-kernel.yama.ptrace_scope=2
+kernel.yama.ptrace_scope=3
 
 ## Maximize bits of entropy for improved effectiveness of mmap ASLR.
 ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).