question
Run gdb in docker, and the breakpoint is set, but the breakpoint cannot be entered.
reason
In order to ensure the security of the host, docker has opened many security settings, including ASLR (Address space layout randomization), that is, the memory address in docker is different from the host memory address.
ASLR will cause GDB to rely on addresses to fail to function properly.
Solution
Use docker's super permissions to add --privileged (two horizontal lines, markdown syntax
like:
docker run --privileged ……
GDB works normally
Super permissions will turn off many security settings, which can make it more fully utilize docker capabilities.
For example, it’s OK to open docker in docker, haha.
Supplementary knowledge:docker ptrace: Operation not allowed. Processing method
When gdb is debugging in docker, an error will be reported:
(gdb) attach 30721
Attaching to process 30721
ptrace: Operation not permitted.
The reason is that ptrace is prohibited by Docker by default. Considering the needs of application analysis, the following methods can be solved:
1. Close seccomp
docker run --security-opt seccomp=unconfined
2. Adopt super permission mode
docker run --privileged
3. Only open ptrace restrictions
docker run --cap-add sys_ptrace
Of course, from a security perspective, if you just want to use gdb for debugging, it is recommended to use the third one.
Secure computing mode (seccomp) is a Linux kernel feature that can be used to limit the operations available in the container.
Docker's default seccomp configuration file is a whitelist that specifies allowed calls.
The following table lists important (but not all) system calls that are effectively blocked because they are not on the whitelist. This table contains the reasons why each system call is blocked.
| Syscall | Description |
|---|---|
| acct | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT. |
| add_key | Prevent containers from using the kernel keyring, which is not namespaced. |
| adjtimex | Similar to clock_settime and settimeofday, time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| bpf | Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN. |
| clock_adjtime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| clock_settime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| clone | Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. |
| create_module | Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE. |
| delete_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| finit_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| get_kernel_syms | Deny retrieval of exported kernel and module symbols. Obsolete. |
| get_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| init_module | Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE. |
| ioperm | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
| iopl | Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO. |
| kcmp | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| kexec_file_load | Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT. |
| kexec_load | Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT. |
| keyctl | Prevent containers from using the kernel keyring, which is not namespaced. |
| lookup_dcookie | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN. |
| mbind | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| mount | Deny mounting, already gated by CAP_SYS_ADMIN. |
| move_pages | Syscall that modifies kernel memory and NUMA settings. |
| name_to_handle_at | Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE. |
| nfsservctl | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
| open_by_handle_at | Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH. |
| perf_event_open | Tracing/profiling syscall, which could leak a lot of information on the host. |
| personality | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
| pivot_root | Deny pivot_root, should be privileged operation. |
| process_vm_readv | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| process_vm_writev | Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE. |
| ptrace | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE. |
| query_module | Deny manipulation and functions on kernel modules. Obsolete. |
| quotactl | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN. |
| reboot | Don't let containers reboot the host. Also gated by CAP_SYS_BOOT. |
| request_key | Prevent containers from using the kernel keyring, which is not namespaced. |
| set_mempolicy | Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE. |
| setns | Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN. |
| settimeofday | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| socket, socketcall | Used to send or receive packets and for other socket operations. All socket and socketcall calls are blocked except communication domains AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, and AF_PACKET. |
| stime | Time/date is not namespaced. Also gated by CAP_SYS_TIME. |
| swapon | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
| swapoff | Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN. |
| sysfs | Obsolete syscall. |
| _sysctl | Obsolete, replaced by /proc/sys. |
| umount | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
| umount2 | Should be a privileged operation. Also gated by CAP_SYS_ADMIN. |
| unshare | Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare –user. |
| uselib | Older syscall related to shared libraries, unused for a long time. |
| userfaultfd | Userspace page fault handling, largely needed for process migration. |
| ustat | Obsolete syscall. |
| vm86 | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
| vm86old | In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN. |
The above article solves the problem that docker cannot enter breakpoints by using GDB. This is all the content I have shared with you. I hope you can give you a reference and I hope you can support me more.