prctl.2: Document PR_SET_PTRACER

Document the Yama LSM's prctl handler that allows processes to
declare ptrace restriction exception relationships via
PR_SET_PTRACER.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man2/prctl.2

@@ -45,9 +45,10 @@
 .\" 2012-09-20 Kees Cook, document PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS
 .\" 2012-10-25 Michael Kerrisk, Document PR_SET_TIMERSLACK and
 .\"                             PR_GET_TIMERSLACK
+.\" 2013-01-10 Kees Cook, document PR_SET_PTRACER
 .\"
 .\"
-.TH PRCTL 2 2012-10-25 "Linux" "Linux Programmer's Manual"
+.TH PRCTL 2 2013-01-10 "Linux" "Linux Programmer's Manual"
 .SH NAME
 prctl \- operations on a process
 .SH SYNOPSIS
@@ -270,6 +271,21 @@ Return the current value of the parent process death signal,
 in the location pointed to by
 .IR "(int\ *) arg2" .
 .TP
+.BR PR_SET_PTRACER " (since Linux 3.4)"
+This is only meaningful when the Yama LSM is enabled and in mode 1
+("restricted ptrace", visible via
+.IR /proc/sys/kernel/yama/ptrace_scope ).
+When a "ptracer process id" is passed in \fIarg2\fP, the caller is declaring
+that the ptracer process can ptrace the current process as if it were a
+direct process ancestor. When set to 0, this relationship is removed. When
+set to
+.BR PR_SET_PTRACER_ANY,
+the ptrace restrictions introduced by Yama are effectively disabled for the
+current process.
+
+For further information, see the kernel source file
+.IR Documentation/security/Yama.txt .
+.TP
 .BR PR_SET_SECCOMP " (since Linux 2.6.23)"
 .\" See http://thread.gmane.org/gmane.linux.kernel/542632
 .\" [PATCH 0 of 2] seccomp updates