[supervisor] add ptrace cap for all child process (#20359)

iQQBot · web-flow · commit 5c51d08b7013 · 2024-11-12T11:13:50.000-05:00
* [supervisor] add ptrace cap for all child process

* addressed feedback
diff --git a/components/supervisor/pkg/supervisor/ssh.go b/components/supervisor/pkg/supervisor/ssh.go
@@ -170,6 +170,9 @@ func (s *sshServer) handleConn(ctx context.Context, conn net.Conn) {
 	cmd.Env = s.envvars
 	cmd.ExtraFiles = []*os.File{socketFD}
 	cmd.Stderr = os.Stderr
+
+	cmd.SysProcAttr.AmbientCaps = grantCapSysPtrace(cmd.SysProcAttr.AmbientCaps)
+
 	if s.cfg.WorkspaceLogRateLimit > 0 {
 		limit := int64(s.cfg.WorkspaceLogRateLimit)
 		cmd.Stderr = dropwriter.Writer(cmd.Stderr, dropwriter.NewBucket(limit*1024*3, limit*1024))
diff --git a/components/supervisor/pkg/supervisor/supervisor.go b/components/supervisor/pkg/supervisor/supervisor.go
@@ -42,6 +42,7 @@ import (
 	"github.com/prometheus/common/route"
 	"github.com/soheilhy/cmux"
 	"golang.org/x/crypto/ssh"
+	"golang.org/x/sys/unix"
 	"golang.org/x/xerrors"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -356,6 +357,9 @@ func Run(options ...RunOption) {
 		Uid: gitpodUID,
 		Gid: gitpodGID,
 	}
+	if !cfg.isHeadless() {
+		termMuxSrv.DefaultAmbientCaps = grantCapSysPtrace(termMuxSrv.DefaultAmbientCaps)
+	}
 
 	taskManager := newTasksManager(cfg, termMuxSrv, cstate, nil, ideReady, desktopIdeReady)
 
@@ -1036,6 +1040,8 @@ func prepareIDELaunch(cfg *Config, ideConfig *IDEConfig) *exec.Cmd {
 	cmd.SysProcAttr.Setpgid = true
 	cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
 
+	cmd.SysProcAttr.AmbientCaps = grantCapSysPtrace(cmd.SysProcAttr.AmbientCaps)
+
 	// Here we must resist the temptation to "neaten up" the IDE output for headless builds.
 	// This would break the JSON parsing of the headless builds.
 	cmd.Stdout = os.Stdout
@@ -1978,3 +1984,9 @@ func waitForIde(parent context.Context, ideReady *ideReadyState, desktopIdeReady
 	}
 	return true, ""
 }
+
+// We grant ptrace for IDE, terminal, ssh and their child process
+// It's make IDE attach more easier
+func grantCapSysPtrace(caps []uintptr) []uintptr {
+	return append(caps, unix.CAP_SYS_PTRACE)
+}
diff --git a/components/supervisor/pkg/terminal/service.go b/components/supervisor/pkg/terminal/service.go
@@ -48,9 +48,10 @@ type MuxTerminalService struct {
 	// if returns empty string then DefaultWorkdir is used
 	DefaultWorkdirProvider func() string
 
-	DefaultShell string
-	Env          []string
-	DefaultCreds *syscall.Credential
+	DefaultShell       string
+	Env                []string
+	DefaultCreds       *syscall.Credential
+	DefaultAmbientCaps []uintptr
 
 	api.UnimplementedTerminalServiceServer
 }
@@ -109,6 +110,14 @@ func (srv *MuxTerminalService) OpenWithOptions(ctx context.Context, req *api.Ope
 			Y:    uint16(req.Size.HeightPx),
 		}
 	}
+
+	if srv.DefaultAmbientCaps != nil {
+		if cmd.SysProcAttr == nil {
+			cmd.SysProcAttr = &syscall.SysProcAttr{}
+		}
+		cmd.SysProcAttr.AmbientCaps = srv.DefaultAmbientCaps
+	}
+
 	alias, err := srv.Mux.Start(cmd, options)
 	if err != nil {
 		return nil, status.Error(codes.Internal, err.Error())
