M README.md => README.md +2 -0
@@ 148,6 148,8 @@ easy to, for example, specify a file relative to the project root.
`/etc/group` read-only, and set the UID within the container to the
UID running BEM.
* `none` -- do nothing and set the UID within the container to 0 (root).
+* `enable_ptrace` -- set to `True` to add the `SYS_PTRACE` capability to the
+ container. (default: `True`)
The following config keys should not be changed, but may be used via for
substitution/indirection.
M bem/bem_config.py => bem/bem_config.py +1 -0
@@ 95,6 95,7 @@ def load_config(inifile, args, ini_dir):
"noenvtamper": bem_util.parse_bool,
"noenvpassthrough": bem_util.parse_bool,
"x11": bem_util.parse_bool,
+ "enable_ptrace": bem_util.parse_bool,
"flush_interval": int,
"dockerfile": pathlib.Path,
"bem_file_dir": pathlib.Path,
M bem/bem_constants.py => bem/bem_constants.py +1 -0
@@ 15,6 15,7 @@ config_defaults = {
"x11": True,
"squashmethod": "bind",
"noenvpassthrough": False,
+ "enable_ptrace": True,
}
default_ps1 = "[BEM:$BEM_PROJECT] $(whoami)@$(hostname) $(pwd) $ "
M bem/bem_engine.py => bem/bem_engine.py +5 -0
@@ 145,6 145,10 @@ def execute_command(config, command):
logging.debug("volumes:")
bem_util.log_pretty(logging.debug, volumes)
+ caps = []
+ if config["enable_ptrace"]:
+ caps.append("SYS_PTRACE")
+
# TODO: if getcwd does not exist inside of the container (not a child of
# any volume), set to project dir instead
@@ 171,6 175,7 @@ def execute_command(config, command):
command=command,
host_config=client.api.create_host_config(
binds=volumes,
+ cap_add=caps,
),
user=user,
environment=config["#environment"],