Solve the problem that docker uses GDB and cannot enter breakpoints

2021-09-12 02:40:19
OfStack

 
Problem 
 
Running gdb in docker, breaking point, but unable to enter breakpoint 
 
Cause 
 
docker in order to ensure the security of the host, docker has opened many security settings, including ASLR (Address space layout randomization), that is, the memory address in docker is different from that of the host. 
 
ASLR causes address-dependent programs such as GDB to fail. 
 
Solution 
 
Using the super permissions of docker, add--privileged (two horizontal lines, markdown syntax 
 
Such as: 
 
docker run-privileged … … 
 
GDB can operate normally 
 
Super privilege will turn off many security settings, which can make full use of docker capabilities 
 
For example, docker can be opened in docker, hehe. 
 
Additional knowledge: docker ptrace: Operation not permitted 
 
gdb in docker will report an error during the process debug: 
 
(gdb) attach 30721 
 
Attaching to process 30721 
 
ptrace: Operation not permitted. 
 
The reason is that ptrace is prohibited by default by Docker. Considering the need of application analysis, there are several methods to solve it: 
 
1. Turn off seccomp 
 
docker run --security-opt seccomp=unconfined 
 
2. Adopt super permission mode 
 
docker run --privileged 
 
3. Only open ptrace restrictions 
 
docker run --cap-add sys_ptrace 
 
Of course, from the security point of view, if you only want to use gdb for debug, it is recommended to use the third one. 
 
Secure Computing Mode (secure computing mode, seccomp) is an Linux kernel feature that can be used to restrict the operations available within the container. 
 
The default seccomp configuration file for Docker is a white list that specifies the allowed calls. 
 
The following table lists important (but not all) system calls that are effectively blocked because they are not on the white list. This table contains the reason why each system call was blocked. 

      Syscall
      Description
    
      acct
      Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
    
      add_key
      Prevent containers from using the kernel keyring, which is not namespaced.
    
      adjtimex
      Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
    
      bpf
      Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
    
      clock_adjtime
      Time/date is not namespaced. Also gated by CAP_SYS_TIME.
    
      clock_settime
      Time/date is not namespaced. Also gated by CAP_SYS_TIME.
    
      clone
      Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
    
      create_module
      Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.
    
      delete_module
      Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
    
      finit_module
      Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
    
      get_kernel_syms
      Deny retrieval of exported kernel and module symbols. Obsolete.
    
      get_mempolicy
      Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
    
      init_module
      Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
    
      ioperm
      Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
    
      iopl
      Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
    
      kcmp
      Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
    
      kexec_file_load
      Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
    
      kexec_load
      Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.
    
      keyctl
      Prevent containers from using the kernel keyring, which is not namespaced.
    
      lookup_dcookie
      Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.
    
      mbind
      Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
    
      mount
      Deny mounting, already gated by CAP_SYS_ADMIN.
    
      move_pages
      Syscall that modifies kernel memory and NUMA settings.
    
      name_to_handle_at
      Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
    
      nfsservctl
      Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
    
      open_by_handle_at
      Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
    
      perf_event_open
      Tracing/profiling syscall, which could leak a lot of information on the host.
    
      personality
      Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
    
      pivot_root
      Deny pivot_root, should be privileged operation.
    
      process_vm_readv
      Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
    
      process_vm_writev
      Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
    
      ptrace
      Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
    
      query_module
      Deny manipulation and functions on kernel modules. Obsolete.
    
      quotactl
      Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
    
      reboot
      Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
    
      request_key
      Prevent containers from using the kernel keyring, which is not namespaced.
    
      set_mempolicy
      Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
    
      setns
      Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
    
      settimeofday
      Time/date is not namespaced. Also gated by CAP_SYS_TIME.
    
      socket, socketcall
      Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET.
    
      stime
      Time/date is not namespaced. Also gated by CAP_SYS_TIME.
    
      swapon
      Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
    
      swapoff
      Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
    
      sysfs
      Obsolete syscall.
    
      _sysctl
      Obsolete, replaced by /proc/sys.
    
      umount
      Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
    
      umount2
      Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
    
      unshare
      Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare �user.
    
      uselib
      Older syscall related to shared libraries, unused for a long time.
    
      userfaultfd
      Userspace page fault handling, largely needed for process migration.
    
      ustat
      Obsolete syscall.
    
      vm86
      In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
    
      vm86old
      In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.

Syscall	Description
acct	Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key	Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex	Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME.
bpf	Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clock_settime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
clone	Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module	Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.
delete_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms	Deny retrieval of exported kernel and module symbols. Obsolete.
get_mempolicy	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module	Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm	Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
iopl	Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
kcmp	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load	Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.
kexec_load	Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.
keyctl	Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie	Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.
mbind	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
mount	Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages	Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at	Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl	Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1.
open_by_handle_at	Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open	Tracing/profiling syscall, which could leak a lot of information on the host.
personality	Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root	Deny pivot_root, should be privileged operation.
process_vm_readv	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
process_vm_writev	Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace	Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module	Deny manipulation and functions on kernel modules. Obsolete.
quotactl	Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot	Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.
request_key	Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy	Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
setns	Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
settimeofday	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
socket, socketcall	Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET.
stime	Time/date is not namespaced. Also gated by CAP_SYS_TIME.
swapon	Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
swapoff	Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
sysfs	Obsolete syscall.
_sysctl	Obsolete, replaced by /proc/sys.
umount	Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
umount2	Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
unshare	Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare �user.
uselib	Older syscall related to shared libraries, unused for a long time.
userfaultfd	Userspace page fault handling, largely needed for process migration.
ustat	Obsolete syscall.
vm86	In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old	In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.