I am looking at enabling debugging in some of our production containers. In our usecase, I would not need CAP_SYS_PTRACE. yama.ptrace_scope on my system is set to the default 1 (“restricted ptrace”, debug children only). I have a recent version of the Linux kernel (4.20), so am not susceptible to the classic seccomp ptrace hole that existed in the 2.x and early 3 branches. Further, user namespaces are in use to map my container UIDs to a high range on the host.

Given these things I thought it could be okay to enable the ptrace syscall in the seccomp profile our containers use. However, looking at the Docker seccomp profile page, I see a callout for why ptrace is disabled:

ptrace: Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.

So I am wondering, under what conditions should it be safe to allow the ptrace syscall in a Docker container today? Is it ever safe?