## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

## Disable the usage of the ptrace() system call by all processes.
## Restrict ptrace() as it enables programs to inspect and modify other active processes.
## Prevents native code debugging which some programs use as a method to detect tampering.
## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
##
## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
## https://en.wikipedia.org/wiki/Ptrace
## https://grapheneos.org/features#attack-surface-reduction
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
## https://github.com/netblue30/firejail/issues/2860
##
## KSPP=yes
## KSPP sets the sysctl.
##
kernel.yama.ptrace_scope=3