docker strace ptrace 报错 Operation not permitted 解决方法
2024-05-11 02:48:55
docker中gdb在进行进程debug时,会报错:
(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.
原因就是因为ptrace被Docker默认禁止的问题。考虑到应用分析的需要,可以有以下几种方法解决:
1、关闭seccomp
docker run --security-opt seccomp=unconfined
2、采用超级权限模式
docker run --privileged
3、仅开放ptrace限制
docker run --cap-add sys_ptrace
当然从安全角度考虑,如只是想使用gdb进行debug的话,建议使用第三种。
安全计算模式(secure computing mode,seccomp)是 Linux 内核功能,可以使用它来限制容器内可用的操作。
Docker 的默认 seccomp 配置文件是一个白名单,它指定了允许的调用。
下表列出了由于不在白名单而被有效阻止的重要(但不是全部)系统调用。该表包含每个系统调用被阻止的原因。
| Syscall | Description |
|---|---|
| acct | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT. |
| add_key | Prevent containers from using the kernel keyring, which is not namespaced. |
| adjtimex | Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| bpf | Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN. |
| clock_adjtime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| clock_settime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| clone | Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. |
| create_module | Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. |
| delete_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| finit_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| get_kernel_syms | Deny retrieval of exported kernel and module symbols. Obsolete. |
| get_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| init_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| ioperm | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
| iopl | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
| kcmp | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| kexec_file_load | Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT. |
| kexec_load | Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. |
| keyctl | Prevent containers from using the kernel keyring, which is not namespaced. |
| lookup_dcookie | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN. |
| mbind | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| mount | Deny mounting, already gated by CAP_SYS_ADMIN. |
| move_pages | Syscall that modifies kernel memory and NUMA settings. |
| name_to_handle_at | Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE. |
| nfsservctl | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
| open_by_handle_at | Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH. |
| perf_event_open | Tracing/profiling syscall, which could leak a lot of information on the host. |
| personality | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
| pivot_root | Deny pivot_root, should be privileged operation. |
| process_vm_readv | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| process_vm_writev | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| ptrace | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE. |
| query_module | Deny manipulation and functions on kernel modules. Obsolete. |
| quotactl | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN. |
| reboot | Don’t let containers reboot the host. Also gated by CAP_SYS_BOOT. |
| request_key | Prevent containers from using the kernel keyring, which is not namespaced. |
| set_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| setns | Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. |
| settimeofday | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| socket, socketcall | Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET. |
| stime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| swapon | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
| swapoff | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
| sysfs | Obsolete syscall. |
| _sysctl | Obsolete, replaced by /proc/sys. |
| umount | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
| umount2 | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
| unshare | Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user. |
| uselib | Older syscall related to shared libraries, unused for a long time. |
| userfaultfd | Userspace page fault handling, largely needed for process migration. |
| ustat | Obsolete syscall. |
| vm86 | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
| vm86old | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
docker strace ptrace 报错 Operation not permitted 解决方法相关推荐
- 【node】windows使用 npm i -g报错operation not permitted解决方法
前言 公司电脑被装了安全控制软件后导致npm -g 安装很多东西提示operation not permitted,后来研究了下怎么解决该问题. 解决方式 首先打开不允许操作的路径,比如我这个报错: ...
- 登录mysql报错Failed to connect to backoff 或 Failed to get D-Bus connection: Operation not permitted解决方法
报错: Failed to get D-Bus connection: Operation not permitted 或 mysql -u root -p 登录mysql时报错 2020-09-16 ...
- mysql source导入报错ERROR 1366的解决方法
mysql source导入报错ERROR 1366的解决方法 参考文章: (1)mysql source导入报错ERROR 1366的解决方法 (2)https://www.cnblogs.com/ ...
- Python 报错 SyntaxError: invalid syntax 解决方法
Python 报错 SyntaxError: invalid syntax 解决方法 参考文章: (1)Python 报错 SyntaxError: invalid syntax 解决方法 (2)ht ...
- vue 报错unknown custom element解决方法
vue 报错unknown custom element解决方法 参考文章: (1)vue 报错unknown custom element解决方法 (2)https://www.cnblogs.co ...
- sqlyog for MySQL远程连接的时候报错mysql 1130的解决方法
通过Navicat for MySQL远程连接的时候报错mysql 1130的解决方法 今天在用远程连接Mysql服务器的数据库,不管怎么弄都是连接不到. 错误代码是1130,ERROR 1130: ...
- VMware报错“锁定文件失败“解决方法
VMware报错"锁定文件失败"解决方法 参考文章: (1)VMware报错"锁定文件失败"解决方法 (2)https://www.cnblogs.com/cb ...
- canvas生成图片toDataURL报错的原因和解决方法
canvas生成图片toDataURL报错的原因和解决方法 参考文章: (1)canvas生成图片toDataURL报错的原因和解决方法 (2)https://www.cnblogs.com/suna ...
- uni-app真机调试报错request:fail abort解决方法
uni-app真机调试报错request:fail abort解决方法 参考文章: (1)uni-app真机调试报错request:fail abort解决方法 (2)https://www.cnbl ...
最新文章
- CVPR 2021 | 国防科大:基于几何稳定性分析的物体位姿估计方法
- linux热插拔原理,.NET Core 的热插拔机制的深入探索
- debain apt oracle jdk,debian安装oracle jdk
- jedis操作set_redis命令行操作set集合和java方式操作set集合
- 从技术角度讨论微服务
- 大数据计算:如何仅用1.5KB内存为十亿对象计数
- linux下php的安装,Linux下PHP安装
- git更新pull报错Pulling 1 repository Remote does not have refs/heads/rel5.1 available for fetch
- django 模型-----模型查询
- 关于python函数参数的描述中、错误的是_在Python中,以下关于函数的描述错误的是哪一项?...
- unity 光探头_光探头
- Maya材质球与渲染基础--Redshift,Arnold,Xgen
- L13.linux命令每日一练 -- 第二章 文件和目录操作命令 -- lsattr和file命令
- 小林coding 的笔记——图解网络(一)
- linux修改文件名的三种方法
- 模仿QQ的左右滑动切换界面和下拉更新的效果
- 计算机为什么有网络凭证,Win10访问局域网中计算机共享文件显示需要网络凭证怎么办?...
- latex 分页_latex 排版 首页不会换页
- 干掉Office 正版增值计划通知 (KB949810)-CHS
- java手机游戏开发人才短缺