Solve the problem that docker uses GDB and cannot enter breakpoints
- 2021-09-12 02:40:19
- OfStack
Problem
Running gdb in docker, breaking point, but unable to enter breakpoint
Cause
docker in order to ensure the security of the host, docker has opened many security settings, including ASLR (Address space layout randomization), that is, the memory address in docker is different from that of the host.
ASLR causes address-dependent programs such as GDB to fail.
Solution
Using the super permissions of docker, add--privileged (two horizontal lines, markdown syntax
Such as:
docker run-privileged … …
GDB can operate normally
Super privilege will turn off many security settings, which can make full use of docker capabilities
For example, docker can be opened in docker, hehe.
Additional knowledge: docker ptrace: Operation not permitted
gdb in docker will report an error during the process debug:
(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.
The reason is that ptrace is prohibited by default by Docker. Considering the need of application analysis, there are several methods to solve it:
1. Turn off seccomp
docker run --security-opt seccomp=unconfined
2. Adopt super permission mode
docker run --privileged
3. Only open ptrace restrictions
docker run --cap-add sys_ptrace
Of course, from the security point of view, if you only want to use gdb for debug, it is recommended to use the third one.
Secure Computing Mode (secure computing mode, seccomp) is an Linux kernel feature that can be used to restrict the operations available within the container.
The default seccomp configuration file for Docker is a white list that specifies the allowed calls.
The following table lists important (but not all) system calls that are effectively blocked because they are not on the white list. This table contains the reason why each system call was blocked.
Syscall | Description |
---|---|
acct | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT. |
add_key | Prevent containers from using the kernel keyring, which is not namespaced. |
adjtimex | Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME. |
bpf | Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN. |
clock_adjtime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
clock_settime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
clone | Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. |
create_module | Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. |
delete_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
finit_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
get_kernel_syms | Deny retrieval of exported kernel and module symbols. Obsolete. |
get_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
init_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
ioperm | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
iopl | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
kcmp | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
kexec_file_load | Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT. |
kexec_load | Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. |
keyctl | Prevent containers from using the kernel keyring, which is not namespaced. |
lookup_dcookie | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN. |
mbind | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
mount | Deny mounting, already gated by CAP_SYS_ADMIN. |
move_pages | Syscall that modifies kernel memory and NUMA settings. |
name_to_handle_at | Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE. |
nfsservctl | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
open_by_handle_at | Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH. |
perf_event_open | Tracing/profiling syscall, which could leak a lot of information on the host. |
personality | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
pivot_root | Deny pivot_root, should be privileged operation. |
process_vm_readv | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
process_vm_writev | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
ptrace | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE. |
query_module | Deny manipulation and functions on kernel modules. Obsolete. |
quotactl | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN. |
reboot | Don't let containers reboot the host. Also gated by CAP_SYS_BOOT. |
request_key | Prevent containers from using the kernel keyring, which is not namespaced. |
set_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
setns | Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. |
settimeofday | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
socket, socketcall | Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET. |
stime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
swapon | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
swapoff | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
sysfs | Obsolete syscall. |
_sysctl | Obsolete, replaced by /proc/sys. |
umount | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
umount2 | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
unshare | Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare �user. |
uselib | Older syscall related to shared libraries, unused for a long time. |
userfaultfd | Userspace page fault handling, largely needed for process migration. |
ustat | Obsolete syscall. |
vm86 | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
vm86old | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |