Docker, on recent kernel versions, whitelists the syscall without necessitating the add-dangerous-permission flag. Courtesy of this blog post.
Addresses #31. While this is the most important change on that front, I'm leaving that issue per discussion with @reberhardt7 for discussion the possibility that we can add a syscall filter to the user code to prevent the ptrace syscall entirely (as opposed to just the high-privilege 'ptrace anything' capability). It's a lower-priority issue now.
Docker, on recent kernel versions, whitelists the syscall without necessitating the add-dangerous-permission flag. Courtesy of this blog post.
Addresses #31. While this is the most important change on that front, I'm leaving that issue per discussion with @reberhardt7 for discussion the possibility that we can add a syscall filter to the user code to prevent the ptrace syscall entirely (as opposed to just the high-privilege 'ptrace anything' capability). It's a lower-priority issue now.