ptrace in bwrap

[mvasi90]

Hello everyone,

I'm working on a script that helps me to create bwrap profiles. The script collects all dependencies (files, folders, libraries), environment variables and syscalls from a given command.

There is third party software that collects private information, like Android Studio. So, I want to create profiles in a sandbox.
The problem is that strace does not work on bwrap. I tried with CAP_SYS_ADMIN and CAP_SYS_PTRACE but I get:

failed to init breakpoints 43
failed to initialize process 43: Permission denied
couldn't open program '/bin/bash': Permission denied

Here is a video of how the script works (if someone wants it, I will share the source code)

sandbox-av1.mp4

[smcv]

Please attach information to issue reports as text rather than videos, unless a video is the only way to show the information you're providing, so that maintainers aren't waiting for the video of your typing. I'm not going to watch a 16 minute video for your benefit. The most useful template for a bug report is:

• steps to reproduce - what you did (the smaller and simpler you can make the failing situation, the better)
• what you expected to happen as a result
• what actually happened

#521 is an excellent example (even though its resolution was "this is working as designed" rather than a bug fix).

[smcv]

Some general thoughts on things that might be going wrong for you:

You seem to be using a seccomp filter of some sort to filter syscalls. ptrace is a syscall, so if you are trying to call ptrace inside the bwrap sandbox, your seccomp filter will need to allow it.

Also, please familiarize yourself with the sections of the ptrace(2) man page that deal with "Ptrace access mode checking", and compare them with what you are trying to do. Point 5(b) in the "Ptrace access mode checking" section deals with the interaction with capabilities and user namespaces, so it is very relevant to using bubblewrap.