This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: [PATCH 2/9 v2] Introduce nat/linux-namespaces.[ch]
- From: Alban Crequy <alban at endocode dot com>
- To: Gary Benson <gbenson at redhat dot com>
- Cc: gdb-patches at sourceware dot org, Eli Zaretskii <eliz at gnu dot org>, Pedro Alves <palves at redhat dot com>, Doug Evans <dje at google dot com>, Iago LÃpez Galeiras <iago at endocode dot com>
- Date: Fri, 1 May 2015 15:18:20 +0200
- Subject: Re: [PATCH 2/9 v2] Introduce nat/linux-namespaces.[ch]
- Authentication-results: sourceware.org; auth=none
- References: <1429186791-6867-1-git-send-email-gbenson at redhat dot com> <1430395542-16017-3-git-send-email-gbenson at redhat dot com> <20150501000739 dot 740 dot 47967 at domU-12-31-39-0A-A0-4F> <20150501092817 dot GA28105 at blade dot nx>
On Fri, May 1, 2015 at 11:28 AM, Gary Benson <gbenson@redhat.com> wrote:
>
> Alban Crequy wrote:
> > On Thu, Apr 30, 2015 at 2:05 PM, Gary Benson <gbenson@redhat.com> wrote:
> > > This commit introduces new shared files nat/linux-namespaces.[ch]
> > > containing code to support Linux namespaces that will be used by
> > > both GDB and gdbserver.
> >
> > Thanks for working on this!
> >
> > > +/* We need to use setns(2) to handle filesystem access in mount
> > > + namespaces other than our own, but this isn't permitted for
> > > + multithreaded processes. GDB is multithreaded when compiled
> > > + with Guile support, and may become multithreaded if compiled
> > > + with Python support. We deal with this by spawning a single-
> > > + threaded helper process to access mount namespaces other than
> > > + our own.
> >
> > setns() needs CAP_SYS_CHROOT and CAP_SYS_ADMIN to change the mnt
> > namespace. So users will need to run gdb as root...
>
> As root, or with those privileges yes. But if you're attaching to
> a process in a container, it's not running as the same UID as you;
> you have to have CAP_SYS_PTRACE, for example, to even get to the
> point where GDB wants to access the files.
Ok, I understand the scenario.
I had tried only with a non-root process in the container and gdb on
the host with the same uid, so I didn't need CAP_SYS_PTRACE. But
that's probably not a good use case.
> The scenario I'm targeting is that you have an application you want
> to debug running in a container. You don't want to run GDB as root
> on the container host, so you start a second container with just the
> privileges you need and run GDB from there.
How do you get the pid of the process to give as a parameter to "gdb
-p" if gdb is running in a different pid namespace than the process to
debug?
> I've been testing this with Docker, which has --cap-add and --cap-drop
> options to adjust what privileges containers are granted when they are
> created with "docker run". I'm assuming other containering systems
> have something similar.
>
> > Would accessing the files directly through
> > /proc/<pid_of_traced_process>/root/usr/lib/debug/... work, without
> > needing the superuser? If it works, it would also remove the
> > requirement for the single-threaded helper process.
>
> No, you need to be root (or have CAP_DAC_OVERRIDE or something) to
> access /proc/PID/root. There's also issues with symlinks pointing
> back to / if you access the files that way. I investigated it back
> in February and I don't think you can handle paths with symlinks in
> a way that's 100% race-free. (I've not been overly concerned with
> security but I didn't want to introduce a way for a hostile app to
> exploit GDB to break out of its container.)
Thanks for the explanation.
Cheers,
Alban
> Cheers,
> Gary
>
> --
> http://gbenson.net/