Error message below
#Dangerzone Issue
heavy mortar
what's the output of ujust audit-secureblue --skip flatpak?
heavy mortar
not sure if this is the cause of the issue but you do need kernel.yama.ptrace_scope to be 2 or less for Dangerzone to run, while you currently have it set to 3 (the default on secureblue). You can fix this by running run0edit /etc/sysctl.d/61-ptrace-scope.conf and changing the ptrace_scope value from 3 to 2
(and then you'll need to reboot for it to take effect)
this is because Dangerzone uses gVisor to sandbox the container it uses, and gVisor relies on ptrace to intercept syscalls
heavy mortar
what's the output of sysctl kernel.yama.ptrace_scope?
heavy mortar
have you rebooted since you set it to 2?
honest needle
have you rebooted since you set it to 2?
No, because I didn't change anything
It was already set to 2
Should I still reboot?
This has been an issue for a few days now
heavy mortar
what's the output of rpm-ostree status?
it seems like something else must be setting ptrace_scope to 3 but I'm not sure what
honest needle
State: idle
warning: Failed to query journal: couldn't find current boot in journal
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 10h ago
Deployments:
ostree-image-signed:docker://ghcr.io/secureblue/kinoite-main-hardened:latest
Digest: sha256:7a8d6fae0f34dcea5afe6fcb4f6a6c391c9beb240841b2a5bfdadf85d92c71be
Version: 43.20260331.0 (2026-03-31T07:29:31Z)
Diff: 1 upgraded
LayeredPackages: clamav clamd clamtk dangerzone earlyoom jetbrains-mono-fonts-all kitty lynis qemu qemu-user-static rkhunter tailscale trash-cli waypipe
LocalPackages: portmaster-2.1.7-1.x86_64 veracrypt-1.26.24-1.x86_64
● ostree-image-signed:docker://ghcr.io/secureblue/kinoite-main-hardened:latest
Digest: sha256:a97732792f419b61c6aa1cbc18f9cc85ae2b13b8e893919958eecbd1e871ef79
Version: 43.20260330.0 (2026-03-30T07:42:30Z)
LayeredPackages: clamav clamd clamtk dangerzone earlyoom jetbrains-mono-fonts-all kitty lynis qemu qemu-user-static rkhunter tailscale trash-cli waypipe
LocalPackages: portmaster-2.1.7-1.x86_64 veracrypt-1.26.24-1.x86_64
ostree-image-signed:docker://ghcr.io/secureblue/kinoite-main-hardened:latest
Digest: sha256:4814842656ec028953b7936ca317d8930705d25ac35e5b1fb0b2f395f02f5457
Version: 43.20260329.0 (2026-03-29T07:23:18Z)
LayeredPackages: clamav clamd clamtk dangerzone earlyoom jetbrains-mono-fonts-all kitty lynis qemu qemu-user-static rkhunter tailscale trash-cli waypipe
LocalPackages: portmaster-2.1.7-1.x86_64 veracrypt-1.26.24-1.x86_64
heavy mortar
hm okay so your system is up to date and you're using the same image I am
have you made any other modifications to the contents of /etc/sysctl.d?
does grep -r ptrace /etc/sysctl.d turn up anything other than /etc/sysctl.d/61-ptrace-scope.conf?
honest needle
does `grep -r ptrace /etc/sysctl.d` turn up anything other than `/etc/sysctl.d/6...
❯ sudo grep -r ptrace /etc/sysctl.d
/etc/sysctl.d/61-ptrace-scope.conf:kernel.yama.ptrace_scope = 2
heavy mortar
honest needle
have you made any other modifications to the contents of `/etc/sysctl.d`?
I don't think so
heavy mortar
❯ sudo grep -r ptrace /etc/sysctl.d
/etc/sysctl.d/61-ptrace-scope.conf:kernel.ya...
...sudo?
honest needle
...`sudo`?
Alias
heavy mortar
ah okay lol
how about grep -r ptrace /usr/lib/sysctl.d /run/sysctl.d /usr/local/lib/sysctl.d?
just to be thorough
honest needle
/usr/lib/sysctl.d/10-default-yama-scope.conf:# space access which requires PTRACE_MODE_ATTACH like ptrace attach, access
/usr/lib/sysctl.d/10-default-yama-scope.conf:# Usage of ptrace attach is restricted by normal user permissions. Normal
/usr/lib/sysctl.d/10-default-yama-scope.conf:# unprivileged processes cannot interact through ptrace with processes
/usr/lib/sysctl.d/10-default-yama-scope.conf:# yama ptrace scope can be used to reduce these permissions even more.
/usr/lib/sysctl.d/10-default-yama-scope.conf:# relying on the default ptrace security restrictions. But can be used
/usr/lib/sysctl.d/10-default-yama-scope.conf:# domains. A different way to restrict ptrace is to set the selinux
/usr/lib/sysctl.d/10-default-yama-scope.conf:# deny_ptrace boolean. Both mechanisms will break some programs relying
/usr/lib/sysctl.d/10-default-yama-scope.conf:# on the ptrace system call and might force users to elevate their
/usr/lib/sysctl.d/10-default-yama-scope.conf:# is enabled in a kernel build (currently 1 for ptrace_scope).
/usr/lib/sysctl.d/10-default-yama-scope.conf:# 3 - No attach. No process may call ptrace at all. Irrevocable.
/usr/lib/sysctl.d/10-default-yama-scope.conf:kernel.yama.ptrace_scope = 0
grep: /run/sysctl.d: No such file or directory
grep: /usr/local/lib/sysctl.d: No such file or directory
Do you want me to run dangerzone and paste the logs here?
If that helps
heavy mortar
/usr/lib/sysctl.d/10-default-yama-scope.conf:# space access which requires PTRAC...
okay nothing unexpected there, so I still don't know what's setting it to 3
heavy mortar
Do you want me to run dangerzone and paste the logs here?
nah we already know that ptrace_scope is set to 3 and that Dangerzone won't run with that setting
so that wouldn't give any new info