When running in debug mode, we need to grant CAP_SYS_PTRACE to the docker container so that gdb can run ptrace on the user's program. However, I don't want the user's program to have that capability. ptrace is a really complicated syscall with a large attack surface, and I won't be surprised if another serious ptrace vuln shows up in the future. I don't want to make it possible for someone to exploit such a vuln to escape the container.
We need to come up with some clever way of doing this. Currently, in debug mode, run.py launches gdb, and gdb launches the user's program, so we don't have control over how the user's program gets forked. However, maybe we can do something simple, like writing a silly program that does this:
drop CAP_SYS_PTRACE
exec(user program, args)
Then, we can run gdb on that program. Not sure if that will break gdb functionality, but it may be worth a shot.
When running in debug mode, we need to grant
CAP_SYS_PTRACE
to the docker container so thatgdb
can runptrace
on the user's program. However, I don't want the user's program to have that capability.ptrace
is a really complicated syscall with a large attack surface, and I won't be surprised if another serious ptrace vuln shows up in the future. I don't want to make it possible for someone to exploit such a vuln to escape the container.You can see that
CAP_SYS_PTRACE
is currently not being dropped: https://cplayground.com/?p=mallard-coyote-wasp&breakpoints=%5B9%5DWe need to come up with some clever way of doing this. Currently, in debug mode, run.py launches gdb, and gdb launches the user's program, so we don't have control over how the user's program gets forked. However, maybe we can do something simple, like writing a silly program that does this:
Then, we can run gdb on that program. Not sure if that will break gdb functionality, but it may be worth a shot.