Hi! I’m another C9 user who found your question interesting.
I would have liked to tell you I found a solution. I gave it the ol’ college try, but unfortunately no such luck.
/proc/sys is indeed mounted read-only. I tried to use
sudo mount -o rw,remount /proc/sys to change that, but got an error message. At least on this system,
root is far from almighty!
/proc/sys is also not in
/etc/fstab so I could change its mount parameters there and reboot our Dockered Linux. Maybe it’s somewhere else that I’m not aware of?
- One recommended solution is to re-compile your kernel with this parameter set to 0 as it was before. Of course, since this Linux isn’t ours we can’t do this. Also, that would make our system a little less secure by default. This “capability” stuff was recently built into Linux for a reason.
- The more recommended solution is to selectively set the
CAP_PTRACE capability not for the whole system but for just the
/usr/bin/gdb executable. That would allow
gdb, but only
gdb, to do the attach thing. The utility for this is
setcap if I remember correctly. I tried that, but wasn’t able to. Either I (i.e.
root) don’t have the capability to assign capabilities like this, or the file system doesn’t support setting capabilities as file attributes.
- Betting on the file system, I tried to build myself a file system of my own on a loopback device that I could then format as I wished, mount, and onto which I could then copy
gdb to grace it with the trace capability. No such luck, our system doesn’t “do” loop devices. Maybe that’s a no-no when running inside Docker - I found hints to that effect but no useful workaround.
This is when I gave up. The “capability” concept was intentionally built into Linux to keep people from doing the kind of thing we’re trying to do, and it seems to be watertight enough that even a
root user doesn’t have the means to circumvent it.
On the one hand it’s nice to see Linux’ shiny new security concept working as designed, on the other it sucks to no longer be able to attach to processes from the outside, even as
I’d consider begging the gods of C9 to change the pre-baked value of
2 and giving
CAP_SYS_PTRACE capability so that we’ll be able to
gdb-attach as user