From 13c7083bc028616e258e5e6919db7b11c6e739a6 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 20 Aug 2025 00:27:45 +0900
Subject: [PATCH] container: ptrace protection via Yama LSM

This is only a nice to have feature as the init process has no additional privileges and the monitor process was never reachable anyway.

Closes #4.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/hakurei/main.go  | 5 +++++
 container/init.go    | 5 +++++
 container/syscall.go | 8 ++++++++
 3 files changed, 18 insertions(+)

diff --git a/cmd/hakurei/main.go b/cmd/hakurei/main.go
index 7e223cd..a636cfc 100644
--- a/cmd/hakurei/main.go
+++ b/cmd/hakurei/main.go
@@ -30,6 +30,11 @@ func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
 	container.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
 
+	if err := container.SetPtracer(0); err != nil {
+		hlog.Verbosef("cannot enable ptrace protection via Yama LSM: %v", err)
+		// not fatal: this program runs as the privileged user
+	}
+
 	if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
 		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
 		// not fatal: this program runs as the privileged user
diff --git a/container/init.go b/container/init.go
index 885b543..0f888fa 100644
--- a/container/init.go
+++ b/container/init.go
@@ -55,6 +55,11 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		log.Fatal("this process must run as pid 1")
 	}
 
+	if err := SetPtracer(0); err != nil {
+		msg.Verbosef("cannot enable ptrace protection via Yama LSM: %v", err)
+		// not fatal: this program has no additional privileges at initial program start
+	}
+
 	var (
 		params      initParams
 		closeSetup  func() error
diff --git a/container/syscall.go b/container/syscall.go
index 62b85c5..8fb41e7 100644
--- a/container/syscall.go
+++ b/container/syscall.go
@@ -9,6 +9,14 @@ const (
 	SUID_DUMP_USER
 )
 
+func SetPtracer(pid uintptr) error {
+	_, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_PTRACER, pid, 0)
+	if errno == 0 {
+		return nil
+	}
+	return errno
+}
+
 func SetDumpable(dumpable uintptr) error {
 	// linux/sched/coredump.h
 	if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, dumpable, 0); errno != 0 {