Drop ptrace capabilities before executing program in debug mode

[reberhardt7]

When running in debug mode, we need to grant CAP_SYS_PTRACE to the docker container so that gdb can run ptrace on the user's program. However, I don't want the user's program to have that capability. ptrace is a really complicated syscall with a large attack surface, and I won't be surprised if another serious ptrace vuln shows up in the future. I don't want to make it possible for someone to exploit such a vuln to escape the container.

You can see that CAP_SYS_PTRACE is currently not being dropped: https://cplayground.com/?p=mallard-coyote-wasp&breakpoints=%5B9%5D

$ capsh --decode=0000000000080000
0x0000000000080000=cap_sys_ptrace

We need to come up with some clever way of doing this. Currently, in debug mode, run.py launches gdb, and gdb launches the user's program, so we don't have control over how the user's program gets forked. However, maybe we can do something simple, like writing a silly program that does this:

drop CAP_SYS_PTRACE
exec(user program, args)

Then, we can run gdb on that program. Not sure if that will break gdb functionality, but it may be worth a shot.

[glen3b]

I'm going to take a look at this.

[reberhardt7]

Closing this issue and opening #41 for remaining work. Thanks Glen!!