ptrace.2: Note that user namespaces can be used to bypass Yama protections

Cowrittten-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man2/ptrace.2

@@ -2352,8 +2352,10 @@ is unchanged.
 1 ("restricted ptrace") [default value]
 When performing an operation that requires a
 .BR PTRACE_MODE_ATTACH
-check, the calling process must have a predefined relationship
-with the target process.
+check, the calling process must either have the
+.B CAP_SYS_PTRACE
+capability in the user namespace of the target process or
+it have a predefined relationship with the target process.
 By default,
 the predefined relationship is that the target process
 must be a child of the caller.
@@ -2375,7 +2377,7 @@ is unchanged.
 2 ("admin-only attach")
 Only processes with the
 .B CAP_SYS_PTRACE
-capability may perform
+capability in the user namespace of the target process may perform
 .BR PTRACE_MODE_ATTACH
 operations or trace children that employ
 .BR PTRACE_TRACEME .
@@ -2387,6 +2389,14 @@ operations or trace children that employ
 .BR PTRACE_TRACEME .
 
 Once this value has been written to the file, it cannot be changed.
+.PP
+With respect to values 1 and 2,
+note that creating a user namespace effectively removes the Yama protection,
+because the owner of a namespace, when accessing its members from outside, has
+.BR CAP_SYS_PTRACE
+within the namespace.
+This means that when a process tries to use namespaces to sandbox
+itself, it inadvertently weakens the protections offered by the Yama LSM.
 .\"
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .\"