[firefox] rr doesn't work

[jankeromnes]

rr:

[FATAL /home/roc/rr/rr/src/RecordSession.cc:1693:create() errno: SUCCESS] rr needs /proc/sys/kernel/perf_event_paranoid <= 1, but it is 2.

gdb:

~~warning: Error disabling address space randomization: Operation not permitted~~ (just a warning, gdb will still work)

[jankeromnes]

For gdb, apparently using set disable-randomization off as suggested here didn't work. Maybe Firefox is built without symbols somehow?

[jankeromnes]

Update: We fixed rr needs /proc/sys/kernel/perf_event_paranoid <= 1, but it is 2., so now rr works fine on the Docker host, but it still won't work in Docker containers.

When @notriddle added the capability CAP_SYS_ADMIN to containers, rr seemed to work, but this capability is way too dangerous to be enabled for all containers (it basically gives root on the host).

@padenot suggested adding CAP_SYS_PTRACE to containers, which may also help gdb. But I have no idea whether this is any less dangerous than CAP_SYS_ADMIN.

See also https://github.com/JanitorTechnology/janitor/issues/232

[jankeromnes]

Update: Just saw the Error disabling address space randomization: Operation not permitted warning but GDB then worked fine.

Not sure what your issue was @bnjbvr, but it probably wasn't related to the warning you saw.

[ishitatsuyuki]

We should enable CAP_SYS_PTRACE and disable seccomp. This allows debugger usage as well as using perf related syscalls. The drawback is that seccomp can be bypassed (which we disable anyway), and potential vulnerabilities may be easier to exploit successfully. This does sounds like an acceptable tradeoff though.