|
|
|
|
|
|
by blincoln
717 days ago
|
|
|
I am reasonably sure that the intended behaviour of Linux is that a process can only be ptraced by one other process level at a time. However, a few years ago, I discovered that a process inside a container being ptraced could be ptraced by a second process running as root at the host level.[1][2] I don't know if that's been patched away since then, but my assumption at the time was that it meant that the "there can be only one" aspect of ptrace was more of an arbitrary decision, not a hard limit. [1] https://assets.bishopfox.com/prod-1437/Documents/Guides/2022... [2] I'm not sure if the "double ptrace" scenario made it into the final document, but it's the same techniques discussed in there, just attach a tracer to the containerized process from inside the container before you attach gdb or asminject.py from outside of the container. |
|
|