From fbb656edd252bf36dfd008af939a78d73c2650dd Mon Sep 17 00:00:00 2001 From: David Chamont Date: Fri, 9 Oct 2020 10:57:09 +0200 Subject: [PATCH 1/3] Transfered as issues in the gitlab project --- docker/WORK.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/docker/WORK.md b/docker/WORK.md index c130318..1394af0 100644 --- a/docker/WORK.md +++ b/docker/WORK.md @@ -18,14 +18,3 @@ For more information about this security protection see the info "(gdb)Auto-loading safe path" ``` - ---- -# Marrying C++ and Python - -Should we install something for the C++/Python connection ? - -Also, the python example mandel.py (and perhaps others) needs an X11 display... and: -* pylab -* ... - -Grosse galère avec "functools_lru_cache"... \ No newline at end of file -- GitLab From da5cae781fae82fed4c1c9f53cbb3c1b792b9e2e Mon Sep 17 00:00:00 2001 From: David Chamont Date: Fri, 9 Oct 2020 11:17:20 +0200 Subject: [PATCH 2/3] Switch off the gdb autoload security. --- docker/Dockerfile | 13 ++++++++++++- docker/WORK.md | 20 -------------------- 2 files changed, 12 insertions(+), 21 deletions(-) delete mode 100644 docker/WORK.md diff --git a/docker/Dockerfile b/docker/Dockerfile index 837d717..42bdf9b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,38 +1,49 @@ # Version 1 + FROM gcc:9.3.0 # Ensure use of bash + SHELL ["/bin/bash","-c"] # timezone + ENV TZ=Europe/Paris -# apt-get preparation +# apt-get general preparation + RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update \ && apt-get install -y apt-utils # c++ tools + RUN apt-get install -y build-essential \ && apt-get install -y cppcheck \ && apt-get install -y libc6-dbg gdb \ && apt-get install -y binutils graphviz \ && apt-get install -y valgrind kcachegrind +RUN echo "set auto-load safe-path /" > /root/.gdbinit + # python + RUN apt-get install -y python-backports.functools-lru-cache \ && apt-get install -y python-tk \ && apt-get install -y python-pip + RUN pip install numpy RUN pip install matplotlib # other + RUN rm -rf /var/lib/apt/lists/* ENV PATH=${PATH}:. ENV LD_LIBRARY_PATH=. # start a shell by default + CMD bash diff --git a/docker/WORK.md b/docker/WORK.md deleted file mode 100644 index 1394af0..0000000 --- a/docker/WORK.md +++ /dev/null @@ -1,20 +0,0 @@ - ---- -# Gdb - -When playing with gdb, there is a disturbing warning, to be understood : - -``` -warning: Error disabling address space randomization: Operation not permitted -warning: File "/usr/local/lib64/libstdc++.so.6.0.28-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load". -To enable execution of this file add - add-auto-load-safe-path /usr/local/lib64/libstdc++.so.6.0.28-gdb.py -line to your configuration file "/root/.gdbinit". -To completely disable this security protection add - set auto-load safe-path / -line to your configuration file "/root/.gdbinit". -For more information about this security protection see the -"Auto-loading safe path" section in the GDB manual. E.g., run from the shell: - info "(gdb)Auto-loading safe path" -``` - -- GitLab From 7c33424f839a46e4dec4360d167a25a79d34d3c3 Mon Sep 17 00:00:00 2001 From: David Chamont Date: Fri, 9 Oct 2020 11:18:32 +0200 Subject: [PATCH 3/3] New option needed so that gdb can switch off space randomization. --- docker/run.sh | 2 +- docker/run_x11_linux.sh | 2 +- docker/run_x11_macos.sh | 2 +- docker/run_x11_win.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docker/run.sh b/docker/run.sh index e690911..c1e1320 100755 --- a/docker/run.sh +++ b/docker/run.sh @@ -3,4 +3,4 @@ SCRIPT_NAME=${BASH_SOURCE[0]} SCRIPT_DIR=`dirname ${SCRIPT_NAME}` -docker run -it --rm -v $PWD:/work -w /work `cat ${SCRIPT_DIR}/name.txt` $* +docker run --security-opt seccomp=unconfined -it --rm -v $PWD:/work -w /work `cat ${SCRIPT_DIR}/name.txt` $* diff --git a/docker/run_x11_linux.sh b/docker/run_x11_linux.sh index 68c1163..e258bfd 100755 --- a/docker/run_x11_linux.sh +++ b/docker/run_x11_linux.sh @@ -6,4 +6,4 @@ SCRIPT_DIR=`dirname ${SCRIPT_NAME}` export DISPLAY=:0 xhost + -docker run -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix:rw -it --rm -v $PWD:/work -w /work `cat ${SCRIPT_DIR}/name.txt` $* +docker run -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix:rw --security-opt seccomp=unconfined -it --rm -v $PWD:/work -w /work `cat ${SCRIPT_DIR}/name.txt` $* diff --git a/docker/run_x11_macos.sh b/docker/run_x11_macos.sh index 938622e..5d6ff6c 100755 --- a/docker/run_x11_macos.sh +++ b/docker/run_x11_macos.sh @@ -6,4 +6,4 @@ SCRIPT_DIR=`dirname ${SCRIPT_NAME}` export DISPLAY=${MYIP}:0 xhost + ${MYIP} -docker run -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix:rw -it --rm -v $PWD:/work -w /work `cat ${SCRIPT_DIR}/name.txt` $* +docker run -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix:rw --security-opt seccomp=unconfined -it --rm -v $PWD:/work -w /work `cat ${SCRIPT_DIR}/name.txt` $* diff --git a/docker/run_x11_win.sh b/docker/run_x11_win.sh index 278cacf..a03150d 100755 --- a/docker/run_x11_win.sh +++ b/docker/run_x11_win.sh @@ -6,4 +6,4 @@ SCRIPT_DIR=`dirname ${SCRIPT_NAME}` export DISPLAY=${MYIP}:0 xhost + ${MYIP} -docker run -e DISPLAY=$DISPLAY -it --rm -v $PWD:/work -w /work `cat ${SCRIPT_DIR}/name.txt` $* +docker run -e DISPLAY=$DISPLAY --security-opt seccomp=unconfined -it --rm -v $PWD:/work -w /work `cat ${SCRIPT_DIR}/name.txt` $* -- GitLab