addressed feedback

iQQBot · iQQBot · commit 7ef5a2c887f7 · 2024-11-12T15:34:30.000Z
diff --git a/components/supervisor/pkg/supervisor/ssh.go b/components/supervisor/pkg/supervisor/ssh.go
@@ -15,7 +15,6 @@ import (
 	"path/filepath"
 	"strings"
 
-	"golang.org/x/sys/unix"
 	"golang.org/x/xerrors"
 
 	"github.com/gitpod-io/gitpod/common-go/log"
@@ -171,7 +170,9 @@ func (s *sshServer) handleConn(ctx context.Context, conn net.Conn) {
 	cmd.Env = s.envvars
 	cmd.ExtraFiles = []*os.File{socketFD}
 	cmd.Stderr = os.Stderr
-	cmd.SysProcAttr.AmbientCaps = append(cmd.SysProcAttr.AmbientCaps, unix.CAP_SYS_PTRACE)
+
+	cmd.SysProcAttr.AmbientCaps = grantCapSysPtrace(cmd.SysProcAttr.AmbientCaps)
+
 	if s.cfg.WorkspaceLogRateLimit > 0 {
 		limit := int64(s.cfg.WorkspaceLogRateLimit)
 		cmd.Stderr = dropwriter.Writer(cmd.Stderr, dropwriter.NewBucket(limit*1024*3, limit*1024))
diff --git a/components/supervisor/pkg/supervisor/supervisor.go b/components/supervisor/pkg/supervisor/supervisor.go
@@ -358,7 +358,7 @@ func Run(options ...RunOption) {
 		Gid: gitpodGID,
 	}
 	if !cfg.isHeadless() {
-		termMuxSrv.DefaultAmbientCaps = append(termMuxSrv.DefaultAmbientCaps, unix.CAP_SYS_PTRACE)
+		termMuxSrv.DefaultAmbientCaps = grantCapSysPtrace(termMuxSrv.DefaultAmbientCaps)
 	}
 
 	taskManager := newTasksManager(cfg, termMuxSrv, cstate, nil, ideReady, desktopIdeReady)
@@ -1040,7 +1040,7 @@ func prepareIDELaunch(cfg *Config, ideConfig *IDEConfig) *exec.Cmd {
 	cmd.SysProcAttr.Setpgid = true
 	cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
 
-	cmd.SysProcAttr.AmbientCaps = append(cmd.SysProcAttr.AmbientCaps, unix.CAP_SYS_PTRACE)
+	cmd.SysProcAttr.AmbientCaps = grantCapSysPtrace(cmd.SysProcAttr.AmbientCaps)
 
 	// Here we must resist the temptation to "neaten up" the IDE output for headless builds.
 	// This would break the JSON parsing of the headless builds.
@@ -1984,3 +1984,9 @@ func waitForIde(parent context.Context, ideReady *ideReadyState, desktopIdeReady
 	}
 	return true, ""
 }
+
+// We grant ptrace for IDE, terminal, ssh and their child process
+// It's make IDE attach more easier
+func grantCapSysPtrace(caps []uintptr) []uintptr {
+	return append(caps, unix.CAP_SYS_PTRACE)
+}

Original file line number	Diff line number	Diff line change
`@@ -358,7 +358,7 @@ func Run(options ...RunOption) {`
`358`	`358`	`Gid: gitpodGID,`
`359`	`359`	`}`
`360`	`360`	`if !cfg.isHeadless() {`
`361`		`- termMuxSrv.DefaultAmbientCaps = append(termMuxSrv.DefaultAmbientCaps, unix.CAP_SYS_PTRACE)`
	`361`	`+ termMuxSrv.DefaultAmbientCaps = grantCapSysPtrace(termMuxSrv.DefaultAmbientCaps)`
`362`	`362`	`}`
`363`	`363`
`364`	`364`	`taskManager := newTasksManager(cfg, termMuxSrv, cstate, nil, ideReady, desktopIdeReady)`
`@@ -1040,7 +1040,7 @@ func prepareIDELaunch(cfg Config, ideConfig IDEConfig) *exec.Cmd {`
`1040`	`1040`	`cmd.SysProcAttr.Setpgid = true`
`1041`	`1041`	`cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL`
`1042`	`1042`
`1043`		`- cmd.SysProcAttr.AmbientCaps = append(cmd.SysProcAttr.AmbientCaps, unix.CAP_SYS_PTRACE)`
	`1043`	`+ cmd.SysProcAttr.AmbientCaps = grantCapSysPtrace(cmd.SysProcAttr.AmbientCaps)`
`1044`	`1044`
`1045`	`1045`	`// Here we must resist the temptation to "neaten up" the IDE output for headless builds.`
`1046`	`1046`	`// This would break the JSON parsing of the headless builds.`
`@@ -1984,3 +1984,9 @@ func waitForIde(parent context.Context, ideReady *ideReadyState, desktopIdeReady`
`1984`	`1984`	`}`
`1985`	`1985`	`return true, ""`
`1986`	`1986`	`}`
	`1987`	`+`
	`1988`	`+// We grant ptrace for IDE, terminal, ssh and their child process`
	`1989`	`+// It's make IDE attach more easier`
	`1990`	`+func grantCapSysPtrace(caps []uintptr) []uintptr {`
	`1991`	`+ return append(caps, unix.CAP_SYS_PTRACE)`
	`1992`	`+}`