From 432376524c8d757a8ff5ae18f301a9946ea45ab6 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 9 Apr 2025 11:35:53 +0200 Subject: [PATCH 1/2] infra/image/shdefaults: Add SYS_PTRACE to CAP_DEFAULTS Debugging is now enabled by default in the containers that are generated with container_create. "+SYS_PTRACE" has been added to CAP_DEFAULTS in shdefaults for this. --- infra/image/shdefaults | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/image/shdefaults b/infra/image/shdefaults index 86c50ab4..b5768cca 100644 --- a/infra/image/shdefaults +++ b/infra/image/shdefaults @@ -5,4 +5,5 @@ # Use +CAP to add the capability and -CAP to drop the capability. CAP_DEFAULTS=( "+DAC_READ_SEARCH" # Required for SSSD + "+SYS_PTRACE" # Required for debugging ) From 638422e113805c4c45547657dff328140785b77e Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 17 Apr 2025 16:10:10 +0200 Subject: [PATCH 2/2] infra/image/shcontainer: Fix processing of multi item CAP_DEFAULTS readarray expects to get an item per line to be added to the array. Printing one item per line with printf fixes this to get the proper formatting for "${CAP_DEFAULTS[@]}" as a valid input for readarray. --- infra/image/shcontainer | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/infra/image/shcontainer b/infra/image/shcontainer index 018fac8c..3b6c4968 100644 --- a/infra/image/shcontainer +++ b/infra/image/shcontainer @@ -4,6 +4,7 @@ SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")" TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")" +# shellcheck disable=SC1091 . "${SCRIPTDIR}/shdefaults" # shellcheck disable=SC1091 @@ -15,7 +16,8 @@ container_create() { shift 2 declare -a extra_opts readarray -t extra_opts < \ - <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" <<< "${CAP_DEFAULTS[@]}") + <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" \ + <<< "$(printf '%s\n' "${CAP_DEFAULTS[@]}")") for opt in "$@" do [ -z "${opt}" ] && continue