On Tue, Oct 02, 2018 at 10:47:23PM +0200, Yves-Alexis Perez wrote: > Current phrasing is ambiguous since it's unclear if attaching to a > children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the > sentence to make that clear. I disagree that your sentence makes that clear. How about: > 2 - admin-only attach: > - only processes with ``CAP_SYS_PTRACE`` may use ptrace > - with ``PTRACE_ATTACH``, or through children calling ``PTRACE_TRACEME``. > + only processes with ``CAP_SYS_PTRACE`` may use ptrace, either with > + ``PTRACE_ATTACH`` or through children calling ``PTRACE_TRACEME``. + only processes with ``CAP_SYS_PTRACE`` may use ptrace. This + restricts both ``PTRACE_ATTACH`` and ``PTRACE_TRACEME``.
