From 63626611131ed31d8be82da3a403df1de1db4348 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Tue, 23 Jul 2024 15:18:35 +0300
Subject: [PATCH] sysctl.d/00-ptrace-restricted.conf: drop from 3 to 2 (no to
 admin-only)

---
 etc/sysctl.d/00-ptrace-restricted.conf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/etc/sysctl.d/00-ptrace-restricted.conf b/etc/sysctl.d/00-ptrace-restricted.conf
index face8980..ba302322 100644
--- a/etc/sysctl.d/00-ptrace-restricted.conf
+++ b/etc/sysctl.d/00-ptrace-restricted.conf
@@ -1,5 +1,8 @@
 # Only let child processes to be debugged
 # https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html
 #kernel.yama.ptrace_scope = 1
-# Disable debuggers entirely
-kernel.yama.ptrace_scope = 3
+# Only processes with CAP_SYS_PTRACE capability are allowed unless children
+# call PTRACE_TRACEME.
+kernel.yama.ptrace_scope = 2
+# Disable debuggers entirely. Cannot be unset [without reboot].
+#kernel.yama.ptrace_scope = 3