Description of problem:
As of F22, in Eclipse-CDT, you can't debug via "attach to process".
When you try, nothing happens.
When trying the same thing with GDB, you get an error:
"ptrace: Operation not permitted."
After some troubleshooting, one workaround is:
sudo chmod +s /usr/bin/gdb
The root cause of the issue has been narrowed down to a security hardening in:
I tested one potential patch and it fixed the issue.
But at present there is a debate about security in the bug above (50 comments..).
- The Security-hardening argument is that ptrace has the ability to look into the memory of any process, thus being a security threat.
- The usability argument is that the change is security theater. It only breaks a lot of applications and doesn't really add much security since there are other easier ways to do the same (e.g core dumping another application and reading the dump). As such it's fixing something that isn't broken but causes breakage in many other apps.
This bug is a tracker bug. It is intended to raise attention that the security-hardening change (in bug 1209492) breaks Eclipse-cdt's attach-to-process functionality and imho should be reversed. To me it seems that this is an unnecessary a big wall that can be easily walked around anyway.
Version-Release number of selected component (if applicable):
F22. Eclipse independent.
Steps to Reproduce:
- Start a C application. (e.g a JVM).
- From Eclipse, attempt to attach to the process.
- Nothing happens
- Debug session should have started.
It seems the patch is getting reverted. This is good as Eclipse's GDB attach-to process will continue to function without having to change SELinux policies.
I'll look into testing things once there is a build available.
The child task was closed as WontFix. It's not clear if remote-attach works on the latest F22/F23 at the moment, I need to test this sometime.
After some investigation, the current solution is to install the package:
Which loosens yama scope to allow ptrace and other processes that attach them selfes to work properly.
The above package has been added as 'weak dedendency' by tools like gdb.