Investigate removing "secomp=unconfined" from definitions that use ptrace based debuggers.

microsoft / vscode-dev-containers

NOTE: Most of the contents of this repository have been migrated to the new devcontainers GitHub org (https://github.com/devcontainers). See https://github.com/devcontainers/template-starter and https://github.com/devcontainers/feature-starter for information on creating your own!

https://aka.ms/vscode-remote

MIT License

4.72k stars 1.4k forks source link

Investigate removing "secomp=unconfined" from definitions that use ptrace based debuggers. #911

Open Chuxel opened 3 years ago

Chuxel commented 3 years ago

Supposedly recent versions of docker only require --cap-add=SYS_PTRACE to enable ptrace-based debuggers used in definitions like Go, Rust, and C++. Being able to remove --security-opt seccomp=unconfined would improve security for the definitions, so its worth seeing if we can safely remove them from the definitions without breaking functionality.

arhasan499 commented 2 years ago

Supposedly recent versions of docker only require --cap-add=SYS_PTRACE to enable ptrace-based debuggers used in definitions like Go, Rust, and C++. Being able to remove --security-opt seccomp=unconfined would improve security for the definitions, so its worth seeing if we can safely remove them from the definitions without breaking functionality.

Arhasan617@gmail.com