From 5c51d08b701388f442ad8bfe8f8aba5af170b429 Mon Sep 17 00:00:00 2001 From: iQQBot Date: Wed, 13 Nov 2024 00:13:50 +0800 Subject: [PATCH] [supervisor] add ptrace cap for all child process (#20359) * [supervisor] add ptrace cap for all child process * addressed feedback --- components/supervisor/pkg/supervisor/ssh.go | 3 +++ .../supervisor/pkg/supervisor/supervisor.go | 12 ++++++++++++ components/supervisor/pkg/terminal/service.go | 15 ++++++++++++--- 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/components/supervisor/pkg/supervisor/ssh.go b/components/supervisor/pkg/supervisor/ssh.go index 33bb488ec163d7..9e5faf0c2c5379 100644 --- a/components/supervisor/pkg/supervisor/ssh.go +++ b/components/supervisor/pkg/supervisor/ssh.go @@ -170,6 +170,9 @@ func (s *sshServer) handleConn(ctx context.Context, conn net.Conn) { cmd.Env = s.envvars cmd.ExtraFiles = []*os.File{socketFD} cmd.Stderr = os.Stderr + + cmd.SysProcAttr.AmbientCaps = grantCapSysPtrace(cmd.SysProcAttr.AmbientCaps) + if s.cfg.WorkspaceLogRateLimit > 0 { limit := int64(s.cfg.WorkspaceLogRateLimit) cmd.Stderr = dropwriter.Writer(cmd.Stderr, dropwriter.NewBucket(limit*1024*3, limit*1024)) diff --git a/components/supervisor/pkg/supervisor/supervisor.go b/components/supervisor/pkg/supervisor/supervisor.go index 7e82587061daea..f77c3aee2f09cd 100644 --- a/components/supervisor/pkg/supervisor/supervisor.go +++ b/components/supervisor/pkg/supervisor/supervisor.go @@ -42,6 +42,7 @@ import ( "github.com/prometheus/common/route" "github.com/soheilhy/cmux" "golang.org/x/crypto/ssh" + "golang.org/x/sys/unix" "golang.org/x/xerrors" "google.golang.org/grpc" "google.golang.org/grpc/codes" @@ -356,6 +357,9 @@ func Run(options ...RunOption) { Uid: gitpodUID, Gid: gitpodGID, } + if !cfg.isHeadless() { + termMuxSrv.DefaultAmbientCaps = grantCapSysPtrace(termMuxSrv.DefaultAmbientCaps) + } taskManager := newTasksManager(cfg, termMuxSrv, cstate, nil, ideReady, desktopIdeReady) @@ -1036,6 +1040,8 @@ func prepareIDELaunch(cfg *Config, ideConfig *IDEConfig) *exec.Cmd { cmd.SysProcAttr.Setpgid = true cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL + cmd.SysProcAttr.AmbientCaps = grantCapSysPtrace(cmd.SysProcAttr.AmbientCaps) + // Here we must resist the temptation to "neaten up" the IDE output for headless builds. // This would break the JSON parsing of the headless builds. cmd.Stdout = os.Stdout @@ -1978,3 +1984,9 @@ func waitForIde(parent context.Context, ideReady *ideReadyState, desktopIdeReady } return true, "" } + +// We grant ptrace for IDE, terminal, ssh and their child process +// It's make IDE attach more easier +func grantCapSysPtrace(caps []uintptr) []uintptr { + return append(caps, unix.CAP_SYS_PTRACE) +} diff --git a/components/supervisor/pkg/terminal/service.go b/components/supervisor/pkg/terminal/service.go index 9b526c847d74ad..378c786fb7619f 100644 --- a/components/supervisor/pkg/terminal/service.go +++ b/components/supervisor/pkg/terminal/service.go @@ -48,9 +48,10 @@ type MuxTerminalService struct { // if returns empty string then DefaultWorkdir is used DefaultWorkdirProvider func() string - DefaultShell string - Env []string - DefaultCreds *syscall.Credential + DefaultShell string + Env []string + DefaultCreds *syscall.Credential + DefaultAmbientCaps []uintptr api.UnimplementedTerminalServiceServer } @@ -109,6 +110,14 @@ func (srv *MuxTerminalService) OpenWithOptions(ctx context.Context, req *api.Ope Y: uint16(req.Size.HeightPx), } } + + if srv.DefaultAmbientCaps != nil { + if cmd.SysProcAttr == nil { + cmd.SysProcAttr = &syscall.SysProcAttr{} + } + cmd.SysProcAttr.AmbientCaps = srv.DefaultAmbientCaps + } + alias, err := srv.Mux.Start(cmd, options) if err != nil { return nil, status.Error(codes.Internal, err.Error())