Where is the SYS_PTRACE capability being used

[leonard520]

Description

Recently, I've been experimenting with this project using OpenJDK's CRaC. I found that in order to perform checkpoint and restore, additional sys_ptrace permissions are required. It works with these permissions, but since ptrace has elevated privileges, I'm trying to understand in what scenarios it's actually needed. I did a test where I only granted the container checkpoint_restore capability, and it still completed the operation successfully. So, I'm wondering if it depends on specific application scenarios? If so, what are the scenarios where it's needed? Thank you!

[adrianreber]

I am confused. You say:

I found that in order to perform checkpoint and restore, additional sys_ptrace permissions are required.

and

I did a test where I only granted the container checkpoint_restore capability, and it still completed the operation successfully.

Do you see that CAP_SYS_PTRACE is needed or not. If it is not needed why do you think it might be necessary?

There is following line in the man-page:

criu also needs either CAP_SYS_PTRACE or a value of 0 in /proc/sys/kernel/yama/ptrace_scope (see ptrace(2)) to be able to interrupt the process for dumping.

Does that help?

[avagin]

Recently, I've been experimenting with this project using OpenJDK's CRaC.

This is unprivileged single-user variant, so I think CAP_SYS_PTRACE is required only when yama policies are enabled: https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html