{{Header}}
{{title|title=
ptrace_scope
}}
{{#seo:
|description=Linux kernel ptrace_scope setting (Yama) that restricts ptrace process tracing and debugging. Explains what it does, why it is be hardened by default, and how to adjust it when required.
}}
{{kernel_mininav}}
{{intro|
<code>ptrace_scope</code> is a Linux kernel security setting (Yama) that controls which processes may trace other processes using <code>ptrace</code>. Restrictive defaults improve isolation but can block debuggers such as <code>gdb</code>. This page explains the setting, common errors, and how to change it when necessary.
}}
= Introduction =
The kernel setting <code>kernel.yama.ptrace_scope</code> (often referred to as <code>ptrace_scope</code>) restricts the use of the <code>ptrace</code> system call. <code>ptrace</code> is commonly used by debuggers and troubleshooting tools to inspect or control another process. However, the same capability can also be abused to read sensitive data from other processes or to interfere with them.

More restrictive <code>ptrace_scope</code> values reduce the attack surface by limiting which processes can attach to which targets. In {{project_name_short}}, this setting is configured with a restrictive value by default, which can cause debugging and certain diagnostics to fail with permission errors.

If you need to relax this setting temporarily for debugging, consider doing so only for the shortest time required, and restore the default afterwards. To check the current value, you can use <code>sysctl kernel.yama.ptrace_scope</code> or read <code>/proc/sys/kernel/yama/ptrace_scope</code>.

= Error - Could not trace the inferior process warning =
<pre>
warning: Could not trace the inferior process.warning: ptrace: Operation not permitted
</pre>

This is an intentional security setting by [[security-misc]], but it can be undone.

{{IconSet|h1|1}} {{sysmaint_notice}}

{{IconSet|h1|2}} {{Open with root rights|filename=
/etc/sysctl.d/50_user.conf
}}

{{IconSet|h1|3}} Paste the following.

Note: Or use another value as per [https://www.kernel.org/doc/Documentation/security/Yama.txt kernel sysctl manual].

{{CodeSelect|code=
kernel.yama.ptrace_scope=0
}}

{{IconSet|h1|4}} Re-generate [[dracut]] initial ramdisk. <ref>
Due to dracut early sysctl parsing.
</ref>

{{CodeSelect|code=
sudo dracut -f
}}

{{IconSet|h1|5}} Reboot.

{{CodeSelect|code=
sudo reboot
}}

{{IconSet|h1|6}} Done.

= Forum Discussion =
* https://forums.whonix.org/t/can-t-edit-proc-sys-kernel-yama-ptrace-scope/22725

= References =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]