Enable `CAP_PTRACE` to our Gitlab CI
The network team have a problem right now with our runners and our memory sanitizer test runs (known as Debian Hardened) because our runners don't allow us to use the ptrace system call. This runner is what effectively helps us in avoiding an issue like the recent GnuPG libgcrypt emergency release that could have been detected in CI with the appropriate sanitizers enabled.
There is some analysis of enabling ptrace in Docker at https://jvns.ca/blog/2020/04/29/why-strace-doesnt-work-in-docker/ -- it sounds like newer dockers (above 19.03) on Linux kernels newer than 4.8 does allow ptrace inside of Docker.
I think for now a good idea would be to add:
cap_add = ["SYS_PTRACE"]
To our Gitlab CI Docker executor as per https://docs.gitlab.com/runner/configuration/advanced-configuration.html
The network team part of this issue is tracked in tpo/core/tor#40275 (closed)
I did a test run to verify that gitlab.com's CI allows ptrace and the output can be seen at https://gitlab.com/ahf/tor/-/jobs/1005663912