Merge pull request #14 from HorlogeSkynet/patch-1

Mentions `kernel.yama.ptrace_scope = 3` breaks lxc v6+ procfs

sysctl.conf

@@ -4,11 +4,11 @@
 # Contributor: HorlogeSkynet
 # Contributor: shenzhui007
 # Date Created: October 5, 2020
-# Last Updated: July 6, 2023
+# Last Updated: May 2, 2024
 
 # Licensed under the GNU General Public License Version 3 (GNU GPL v3),
 #   available at: https://www.gnu.org/licenses/gpl-3.0.txt
-# (C) 2020-2023 K4YT3X
+# (C) 2020-2024 K4YT3X
 
 # Multiple sources have been consulted while writing this configuration
 #  file (e.g., nixCraft's sysctl.conf). Sources are not cited since this
@@ -39,9 +39,15 @@ kernel.core_uses_pid = 1
 kernel.kptr_restrict = 2
 
 # Ptrace protection using Yama
-#   - 1: only a parent process can be debugged
+#   - 0 (classic): allows any process to trace any other process under the same UID
-#   - 2: only admins can use ptrace (CAP_SYS_PTRACE capability required)
+#   - 1 (restricted): only a parent process can be debugged
-#   - 3: disables ptrace completely, reboot is required to re-enable ptrace
+#   - 2 (admin-only): only admins can use ptrace (CAP_SYS_PTRACE capability required)
+#   - 3 (no attach): disables ptrace completely, reboot is required to re-enable ptrace
+# the general recommendation for this setting is:
+#   - if you do not need to debug programs, set it to 3
+#   - if you need to debug programs (e.g., GDB, LLDB, strace), set it to 1
+# setting it to 3 will also break LXC v6+ procfs emulation for unprivileged containers
+#   (see GitHub issue https://github.com/lxc/lxcfs/issues/636)
 kernel.yama.ptrace_scope = 3
 
 # restrict kernel logs to root only