From ca7638301a6a19093d292e1aa1965835b492065c Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@hp.com>
Date: Wed, 20 Jun 2012 09:28:53 -0700
Subject: [PATCH] Allow more permissive ptrace.

This is a temporary measure, and should be reverted when no
longer needed.  Currently needed for:
  https://lists.launchpad.net/openstack/msg13381.html

Change-Id: Ic7d01f939532bb69ea6d647688d4e9fcb8bbdfde
---
 modules/jenkins_slave/files/10-ptrace.conf | 24 ++++++++++++++++++++++
 modules/jenkins_slave/manifests/init.pp    | 16 +++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 modules/jenkins_slave/files/10-ptrace.conf

diff --git a/modules/jenkins_slave/files/10-ptrace.conf b/modules/jenkins_slave/files/10-ptrace.conf
new file mode 100644
index 0000000000..0e8abd2ff1
--- /dev/null
+++ b/modules/jenkins_slave/files/10-ptrace.conf
@@ -0,0 +1,24 @@
+# This file is managed by puppet.
+#
+# The PTRACE system is used for debugging.  With it, a single user process
+# can attach to any other dumpable process owned by the same user.  In the
+# case of malicious software, it is possible to use PTRACE to access
+# credentials that exist in memory (re-using existing SSH connections,
+# extracting GPG agent information, etc).
+#
+# A PTRACE scope of "0" is the more permissive mode.  A scope of "1" limits
+# PTRACE only to direct child processes (e.g. "gdb name-of-program" and
+# "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID"
+# do not).  The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so
+# "sudo strace -fp $PID" will work as before.  For more details see:
+# https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
+#
+# For applications launching crash handlers that need PTRACE, exceptions can
+# be registered by the debugee by declaring in the segfault handler
+# specifically which process will be using PTRACE on the debugee:
+#   prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
+#
+# In general, PTRACE is not needed for the average running Ubuntu system.
+# To that end, the default is to set the PTRACE scope to "1".  This value
+# may not be appropriate for developers or servers with only admin accounts.
+kernel.yama.ptrace_scope = 0
diff --git a/modules/jenkins_slave/manifests/init.pp b/modules/jenkins_slave/manifests/init.pp
index 4d196b72c6..03824d75e3 100644
--- a/modules/jenkins_slave/manifests/init.pp
+++ b/modules/jenkins_slave/manifests/init.pp
@@ -178,4 +178,20 @@ class jenkins_slave($ssh_key, $sudo = false, $bare = false, $user = true) {
                   "puppet:///modules/jenkins_slave/slave_scripts",
                 ],
     }
+
+    # Temporary for debugging glance launch problem
+    # https://lists.launchpad.net/openstack/msg13381.html
+    file { '/etc/sysctl.d/10-ptrace.conf':
+      ensure => present,
+      source => "puppet:///modules/jenkins_slave/10-ptrace.conf",
+      owner => 'root',
+      group => 'root',
+      mode => 444,
+    }
+
+    exec { "ptrace sysctl":
+      subscribe => File['/etc/sysctl.d/10-ptrace.conf'],
+      refreshonly => true,
+      command => "/sbin/sysctl -p /etc/sysctl.d/10-ptrace.conf",
+    }
 }