strace Permission Denied — ptrace Scope Restricted for Process Tracing
About strace Permission Denied
Fix strace 'Operation not permitted' errors caused by Yama ptrace scope restrictions preventing non-root users from tracing processes on Linux. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: strace traces system calls made by processes — essential for debugging application behavior. ptrace (process trace) is the kernel feature that strace uses to intercept system calls. Yama LSM (Linux Security Module) controls ptrace access through kernel.yama.ptrace_scope. Default ptrace_scope is 1 (restricted) which only allows tracing child processes. Attaching strace to already-running processes requires ptrace_scope 0 or root privileges. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Yama ptrace_scope set to 1 or higher, restricting process attachment. Trying to strace a process not started by the current user. Container security context blocking ptrace system call. AppArmor or SELinux policy denying ptrace access. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Use strace to start the process: 'strace -f -o trace.log ./my-program' (traces child processes too). For attaching to existing process with root: 'sudo strace -p PID'. Temporarily allow: 'echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope'. Persist setting: add 'kernel.yama.ptrace_scope = 0' to /etc/sysctl.conf (security trade-off). In containers: add --cap-add SYS_PTRACE to docker run or add SYS_PTRACE capability to pod spec. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
What does ptrace_scope = 1 mean?
Only a parent process can ptrace its children. You can strace a process you launch but cannot attach to an already-running process (even if you own it). This prevents malicious processes from inspecting other processes.
Overview
Fix strace 'Operation not permitted' errors caused by Yama ptrace scope restrictions preventing non-root users from tracing processes on Linux.
Key Details
- strace traces system calls made by processes — essential for debugging application behavior
- ptrace (process trace) is the kernel feature that strace uses to intercept system calls
- Yama LSM (Linux Security Module) controls ptrace access through kernel.yama.ptrace_scope
- Default ptrace_scope is 1 (restricted) which only allows tracing child processes
- Attaching strace to already-running processes requires ptrace_scope 0 or root privileges
Common Causes
- Yama ptrace_scope set to 1 or higher, restricting process attachment
- Trying to strace a process not started by the current user
- Container security context blocking ptrace system call
- AppArmor or SELinux policy denying ptrace access
Steps
- 1Use strace to start the process: 'strace -f -o trace.log ./my-program' (traces child processes too)
- 2For attaching to existing process with root: 'sudo strace -p PID'
- 3Temporarily allow: 'echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope'
- 4Persist setting: add 'kernel.yama.ptrace_scope = 0' to /etc/sysctl.conf (security trade-off)
- 5In containers: add --cap-add SYS_PTRACE to docker run or add SYS_PTRACE capability to pod spec