allow SYS_PTRACE capability when running tests

[dirk-thomas]

To address test failures related to trying to use leak sanitizer:

• http://build.ros2.org/view/Rci/job/Rci__nightly-fastrtps_ubuntu_focal_amd64/58/testReport/(root)/projectroot/test_ros2_message/
• http://build.ros2.org/view/Rdev/job/Rdev__rosbag2__ubuntu_focal_amd64/31/testReport/(root)/projectroot/test_ros2_message/

See the temporary job which passes with this option.

[nuclearsandwich]

The ptrace capability is an especially egregious one when it comes to capabilities for containers running untrusted code (as devel and CI jobs do) since escaping the container with the ptrace capability gives you lots of potential for damage (https://nvd.nist.gov/vuln/detail/2016-9962 is an example from memory where ptrace makes it easier to leverage a container escape). I am very hesitant to add this capability and would want to see a discussion of the added risk and the mitigations in place for it.

[dirk-thomas]

I am very hesitant to add this capability and would want to see a discussion of the added risk and the mitigations in place for it.

Please start the discussion somewhere - not sure what the best place for it would be - here or Slack?

Do you have an alternative proposal how to address the failing test?

Since this currently makes several jobs unstable I would like to get them green within a few days. If the discussion needs more time and there is no alternative I probably woulddisable the sanitizer for now.

[dirk-thomas]

Closing since undesired.

Instead the sanitizer is being disabled in the rosbag2_cpp package: ros2/rosbag2#517.