See https://www.kernel.org/doc/Documentation/security/Yama.txt. Maybe it would be worth it to pass `PR_SET_PTRACER_ANY` in debug, or to do something else? Is there a way to allow to `ptrace` to a gecko child process when the parent has been started with gdb ? The current scenario looks like this: - MOZ_DEBUG_CHILD_PROCESS=1 ./mach run --debugger=gdb - Look for the PID in the output of the parent - Open another terminal - gdb objdir/dist/bin/firefox $PID - This does not work because of YAMA Now, locally, you can do: > `sudo gdb objdit/dist/bin/firefox $PID` or > `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` because you're in `sudoers`. On taskcluster one-click-loaner, `/proc/sys` is read only and can't be remounted in rw because of docker. On a machine where you're not root, nothing can be done as far as I know.

We're already doing this on debug builds when we crash: http://searchfox.org/mozilla-central/rev/7da3c9dcf467964f2fb82f3a4c63972ee79bf696/toolkit/xre/nsSigHandlers.cpp#101 And PR_SET_PTRACER is allowed by the sandbox policy for that reason: http://searchfox.org/mozilla-central/rev/bf98cd4315b5efa1b28831001ad27d54df7bbb68/security/sandbox/linux/SandboxFilter.cpp#149 So this would just need the PR_SET_PTRACER to happen earlier, during startup; for example, here: http://searchfox.org/mozilla-central/rev/7da3c9dcf467964f2fb82f3a4c63972ee79bf696/toolkit/xre/nsEmbedFunctions.cpp#567 There's also a use case of starting the browser normally, attaching a debugger to some process, and then doing the steps-to-reproduce manually. In that case you'd want the early PR_SET_PTRACER but not the child pausing, but I don't know how common it is to do that without having root access.

This works fine, and would allow debugging child processes on one-click-loaner. How does it look ?

We need to defined the arguments to `prctl` manually because they are not present in the header available on our builders (Ubuntu 14.04 - linux 3.13).

Comment on attachment 8832025 [details] [diff] [review] Allow attaching to a child process on Linux when MOZ_DEBUG_CHILD_PROCESS is set and YAMA is activated and ptrace_scope is > 0 Same patch with the #define added, taken from another box that has a more recent kernel.

Comment on attachment 8832025 [details] [diff] [review] Allow attaching to a child process on Linux when MOZ_DEBUG_CHILD_PROCESS is set and YAMA is activated and ptrace_scope is > 0 Review of attachment 8832025 [details] [diff] [review]: ----------------------------------------------------------------- Sorry about that; I'd confused PR_SET_PTRACER with something else I was looking at that's been in the kernel for longer. For reference: PR_SET_PTRACER was added in 3.4, according to the man page, and last I heard our builders are CentOS 6, which is on 2.6.32 (with a lot of patches but maybe not the Yama LSM), so that would explain the build failures. Ubuntu still supports a 3.2-based kernel for 12.04 LTS, but that includes some backported security features including Yama (and seccomp-bpf), and all of the newer releases are ≥ 3.4.

Pushed by paul@paul.cx: https://hg.mozilla.org/integration/mozilla-inbound/rev/81fe225a5ffe Allow attaching to a child process on Linux when MOZ_DEBUG_CHILD_PROCESS is set and YAMA is activated and ptrace_scope is > 0. r=jld