Debugging applications that run under a ptrace restriction

Note: The following topic applies to applications running on Linux, and when using Docker.

On Linux-based platforms, by default, a process can only attach to another process if it has a predefined relationship with it. An example would be a parent process that has started a child process. This is a restriction to ptrace and is valid for non-root users only. It is designed to ensure higher security to malware attacks. The root user can still attach to any process.

This affects unsolicited Dynamic Attachment debugging.

This behavior is defined by the sysctl value in /proc/sys/kernel/yama/ptrace_scope, which is set to 1, by default.

To relax the restriction and allow processes to attach to other processes, this value must be set to 0. This allows processes that have the same user id to attach to each other. Execute the following to remove the restriction:

sudo sh << END
echo 0 > /proc/sys/kernel/yama/ptrace_scope
END

The following table shows which debugging methods need you to do this:

Debugging method sysctl value in ptrace_scope
Local debugging using Eclipse Either 0 or 1
Debugging using local attach to process with Eclipse (attach to PID) Must be 0
anim <prog> Either 0 or 1
COBSW=+A <prog> Either 0 or 1
anim <pid> Must be 0
cobanimsrv Either 0 or 1
CBL_DEBUG_START Either 0 or 1
debug_on_error tunable Either 0 or 1
core_on_error tunable Either 0 or 1
stackdump_on_error tunable Either 0 or 1
Remote debugging using Eclipse Either 0 or 1
Debugging using remote attach to process with Eclipse (attach to PID) Must be 0

For more on the ptrace restriction, check your operating system documentation.