2461617 – systemtap: add Recommends: yama-ptrace-enable for FESCo Change #3569

Bug 2461617 - systemtap: add Recommends: yama-ptrace-enable for FESCo Change #3569

Summary: systemtap: add Recommends: yama-ptrace-enable for FESCo Change #3569

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemtap
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Frank Ch. Eigler
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2448388
TreeView+	depends on / blocked

Reported:	2026-04-24 18:02 UTC by Aaron Merey
Modified:	2026-04-24 18:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2026-04-24 18:46:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Aaron Merey 2026-04-24 18:02:37 UTC

Request packaging change for the systemtap side of FESCo Change                                                                           
"Restrict ptrace by default" (fesco#3569, tracker rhbz#2448388).                                                                          
                                                                                                                                            
elfutils ships a subpackage elfutils-default-yama-scope
whose sysctl file sets kernel.yama.ptrace_scope=0, disabling
yama's non-child ptrace restrictions. Because elfutils-libs
hard-Required it and is pulled in transitively by systemd, every
Fedora system has run with yama disabled.                
                                                                                                                                            
Starting with Fedora 45 elfutils-0.195-1, elfutils-default-yama-scope
is renamed to yama-ptrace-enable, the hard Requires on elfutils-libs
is dropped, and the sysctl is installed only on systems where a
debugger-type package explicitly pulls it in. Systems without such
a package will fall back to the kernel default (ptrace_scope=1, child-only).                                                                        
                                                                    
Please add the following to systemtap.spec on rawhide:                                                                                
                                                            
  Recommends: yama-ptrace-enable                                                                                                        
                                    
Recommends (not Requires) lets hardened environments opt out.

FESCo Change:  https://fedoraproject.org/wiki/Changes/Restrict_ptrace_by_default
FESCo issue:   https://pagure.io/fesco/issue/3569
Tracker bug:   https://bugzilla.redhat.com/show_bug.cgi?id=2448388

Reproducible: Always

Comment 1 Frank Ch. Eigler 2026-04-24 18:46:08 UTC

commit b81b9cba57ac43b7b0d1595ce881c1e8e30d5287
Author: Frank Ch. Eigler <fche>
Date:   Fri Apr 24 14:44:45 2026 -0400

    RHBZ2461617: systemtap.spec: Recommend yama-ptrace-enable for runtime package
    
    ... on fedora >= 45 and rhel >= 11

Note You need to log in before you can comment on or make changes to this bug.