[supervisor] add ptrace cap for all child process

iQQBot · iQQBot · commit c26b6b8ad79b · 2024-11-12T08:24:34.000Z
diff --git a/components/supervisor/pkg/supervisor/ssh.go b/components/supervisor/pkg/supervisor/ssh.go
@@ -15,6 +15,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"golang.org/x/sys/unix"
 	"golang.org/x/xerrors"
 
 	"github.com/gitpod-io/gitpod/common-go/log"
@@ -170,6 +171,7 @@ func (s *sshServer) handleConn(ctx context.Context, conn net.Conn) {
 	cmd.Env = s.envvars
 	cmd.ExtraFiles = []*os.File{socketFD}
 	cmd.Stderr = os.Stderr
+	cmd.SysProcAttr.AmbientCaps = append(cmd.SysProcAttr.AmbientCaps, unix.CAP_SYS_PTRACE)
 	if s.cfg.WorkspaceLogRateLimit > 0 {
 		limit := int64(s.cfg.WorkspaceLogRateLimit)
 		cmd.Stderr = dropwriter.Writer(cmd.Stderr, dropwriter.NewBucket(limit*1024*3, limit*1024))
diff --git a/components/supervisor/pkg/supervisor/supervisor.go b/components/supervisor/pkg/supervisor/supervisor.go
@@ -42,6 +42,7 @@ import (
 	"github.com/prometheus/common/route"
 	"github.com/soheilhy/cmux"
 	"golang.org/x/crypto/ssh"
+	"golang.org/x/sys/unix"
 	"golang.org/x/xerrors"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -356,6 +357,9 @@ func Run(options ...RunOption) {
 		Uid: gitpodUID,
 		Gid: gitpodGID,
 	}
+	if !cfg.isHeadless() {
+		termMuxSrv.DefaultAmbientCaps = append(termMuxSrv.DefaultAmbientCaps, unix.CAP_SYS_PTRACE)
+	}
 
 	taskManager := newTasksManager(cfg, termMuxSrv, cstate, nil, ideReady, desktopIdeReady)
 
@@ -1036,6 +1040,8 @@ func prepareIDELaunch(cfg *Config, ideConfig *IDEConfig) *exec.Cmd {
 	cmd.SysProcAttr.Setpgid = true
 	cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
 
+	cmd.SysProcAttr.AmbientCaps = append(cmd.SysProcAttr.AmbientCaps, unix.CAP_SYS_PTRACE)
+
 	// Here we must resist the temptation to "neaten up" the IDE output for headless builds.
 	// This would break the JSON parsing of the headless builds.
 	cmd.Stdout = os.Stdout
diff --git a/components/supervisor/pkg/terminal/service.go b/components/supervisor/pkg/terminal/service.go
@@ -48,9 +48,10 @@ type MuxTerminalService struct {
 	// if returns empty string then DefaultWorkdir is used
 	DefaultWorkdirProvider func() string
 
-	DefaultShell string
-	Env          []string
-	DefaultCreds *syscall.Credential
+	DefaultShell       string
+	Env                []string
+	DefaultCreds       *syscall.Credential
+	DefaultAmbientCaps []uintptr
 
 	api.UnimplementedTerminalServiceServer
 }
@@ -109,6 +110,14 @@ func (srv *MuxTerminalService) OpenWithOptions(ctx context.Context, req *api.Ope
 			Y:    uint16(req.Size.HeightPx),
 		}
 	}
+
+	if srv.DefaultAmbientCaps != nil {
+		if cmd.SysProcAttr == nil {
+			cmd.SysProcAttr = &syscall.SysProcAttr{}
+		}
+		cmd.SysProcAttr.AmbientCaps = srv.DefaultAmbientCaps
+	}
+
 	alias, err := srv.Mux.Start(cmd, options)
 	if err != nil {
 		return nil, status.Error(codes.Internal, err.Error())
