diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c
index c1e20ebba284..52c4e302005e 100644
--- a/sys/kern/init_main.c
+++ b/sys/kern/init_main.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: init_main.c,v 1.403 2009/10/02 18:50:14 elad Exp $	*/
+/*	$NetBSD: init_main.c,v 1.404 2009/10/02 22:18:57 elad Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.403 2009/10/02 18:50:14 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.404 2009/10/02 22:18:57 elad Exp $");
 
 #include "opt_ddb.h"
 #include "opt_ipsec.h"
@@ -112,6 +112,7 @@ __KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.403 2009/10/02 18:50:14 elad Exp $")
 #include "opt_pax.h"
 #include "opt_compat_netbsd.h"
 #include "opt_wapbl.h"
+#include "opt_ptrace.h"
 
 #include "drvctl.h"
 #include "ksyms.h"
@@ -201,6 +202,9 @@ __KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.403 2009/10/02 18:50:14 elad Exp $")
 #include <sys/savar.h>
 #endif
 #include <net80211/ieee80211_netbsd.h>
+#ifdef PTRACE
+#include <sys/ptrace.h>
+#endif /* PTRACE */
 
 #include <sys/syscall.h>
 #include <sys/syscallargs.h>
@@ -550,6 +554,11 @@ main(void)
 	ktrinit();
 #endif
 
+#ifdef PTRACE
+	/* Initialize ptrace. */
+	ptrace_init();
+#endif /* PTRACE */
+
 	/* Initialize the UUID system calls. */
 	uuid_init();
 
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index 8eceb06fc31f..d14785752976 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: sys_process.c,v 1.147 2009/06/28 11:42:07 yamt Exp $	*/
+/*	$NetBSD: sys_process.c,v 1.148 2009/10/02 22:18:57 elad Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -118,7 +118,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.147 2009/06/28 11:42:07 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.148 2009/10/02 22:18:57 elad Exp $");
 
 #include "opt_ptrace.h"
 #include "opt_ktrace.h"
@@ -141,6 +141,80 @@ __KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.147 2009/06/28 11:42:07 yamt Exp $
 #include <machine/reg.h>
 
 #ifdef PTRACE
+static kauth_listener_t ptrace_listener;
+
+static int
+ptrace_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+    void *arg0, void *arg1, void *arg2, void *arg3)
+{
+	struct proc *p;
+	int result;
+
+	result = KAUTH_RESULT_DEFER;
+	p = arg0;
+
+	if (action != KAUTH_PROCESS_PTRACE)
+		return result;
+
+	switch ((u_long)arg1) {
+	case PT_TRACE_ME:
+	case PT_ATTACH:
+	case PT_WRITE_I:
+	case PT_WRITE_D:
+	case PT_READ_I:
+	case PT_READ_D:
+	case PT_IO:
+#ifdef PT_GETREGS
+	case PT_GETREGS:
+#endif
+#ifdef PT_SETREGS
+	case PT_SETREGS:
+#endif
+#ifdef PT_GETFPREGS
+	case PT_GETFPREGS:
+#endif
+#ifdef PT_SETFPREGS
+	case PT_SETFPREGS:
+#endif
+#ifdef __HAVE_PTRACE_MACHDEP
+	PTRACE_MACHDEP_REQUEST_CASES
+#endif
+		if (kauth_cred_getuid(cred) != kauth_cred_getuid(p->p_cred) ||
+		    ISSET(p->p_flag, PK_SUGID)) {
+			break;
+		}
+
+		result = KAUTH_RESULT_ALLOW;
+
+	break;
+
+#ifdef PT_STEP
+	case PT_STEP:
+#endif
+	case PT_CONTINUE:
+	case PT_KILL:
+	case PT_DETACH:
+	case PT_LWPINFO:
+	case PT_SYSCALL:
+	case PT_DUMPCORE:
+		result = KAUTH_RESULT_ALLOW;
+		break;
+
+	default:
+		break;
+	}
+
+	return result;
+}
+
+void
+ptrace_init(void)
+{
+
+	ptrace_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
+	    ptrace_listener_cb, NULL);
+}
+
 /*
  * Process debugging system call.
  */
@@ -958,3 +1032,4 @@ process_stoptrace(void)
 	KERNEL_LOCK(l->l_biglocks, l);
 }
 #endif	/* KTRACE || PTRACE */
+
diff --git a/sys/secmodel/suser/secmodel_suser.c b/sys/secmodel/suser/secmodel_suser.c
index 68e8c6dcdcad..cb013d866943 100644
--- a/sys/secmodel/suser/secmodel_suser.c
+++ b/sys/secmodel/suser/secmodel_suser.c
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.4 2009/10/02 22:05:52 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.5 2009/10/02 22:18:57 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.4 2009/10/02 22:05:52 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.5 2009/10/02 22:18:57 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -640,63 +640,11 @@ secmodel_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
 		break;
 		}
 
-	case KAUTH_PROCESS_PTRACE: {
-		switch ((u_long)arg1) {
-		case PT_TRACE_ME:
-		case PT_ATTACH:
-		case PT_WRITE_I:
-		case PT_WRITE_D:
-		case PT_READ_I:
-		case PT_READ_D:
-		case PT_IO:
-#ifdef PT_GETREGS
-		case PT_GETREGS:
-#endif
-#ifdef PT_SETREGS
-		case PT_SETREGS:
-#endif
-#ifdef PT_GETFPREGS
-		case PT_GETFPREGS:
-#endif
-#ifdef PT_SETFPREGS
-		case PT_SETFPREGS:
-#endif
-#ifdef __HAVE_PTRACE_MACHDEP
-		PTRACE_MACHDEP_REQUEST_CASES
-#endif
-			if (isroot) {
-				result = KAUTH_RESULT_ALLOW;
-				break;
-			}
-
-			if (kauth_cred_getuid(cred) !=
-			    kauth_cred_getuid(p->p_cred) ||
-			    ISSET(p->p_flag, PK_SUGID)) {
-				break;
-			}
-
+	case KAUTH_PROCESS_PTRACE:
+		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
-			break;
-
-#ifdef PT_STEP
-		case PT_STEP:
-#endif
-		case PT_CONTINUE:
-		case PT_KILL:
-		case PT_DETACH:
-		case PT_LWPINFO:
-		case PT_SYSCALL:
-		case PT_DUMPCORE:
-			result = KAUTH_RESULT_ALLOW;
-			break;
-
-		default:
-	        	result = KAUTH_RESULT_DEFER;
-		        break;
-		}
 
 		break;
-		}
 
 	case KAUTH_PROCESS_CORENAME:
 		if (isroot || proc_uidmatch(cred, p->p_cred) == 0)
diff --git a/sys/sys/ptrace.h b/sys/sys/ptrace.h
index 4a5db7d76d85..aec0819666ca 100644
--- a/sys/sys/ptrace.h
+++ b/sys/sys/ptrace.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: ptrace.h,v 1.40 2008/01/05 12:41:43 dsl Exp $	*/
+/*	$NetBSD: ptrace.h,v 1.41 2009/10/02 22:18:56 elad Exp $	*/
 
 /*-
  * Copyright (c) 1984, 1993
@@ -99,6 +99,8 @@ struct fpreg;
 #endif
 #endif
 
+void	ptrace_init(void);
+
 int	process_doregs(struct lwp *, struct lwp *, struct uio *);
 int	process_validregs(struct lwp *);