run dettrace without privileged flag under docker

[wangbj]

when run under docker, dettrace requires --priviledged flag passed to docker, it would be nice to remove this flag, or a list of functions who depends on --priviledged flag.

[wangbj]

docker filter certain syscalls such as personality, seccomp, ptrace..., see:

https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile

[rrnewton]

Elsewhere we discussed 8 orthogonal aspects of determinization/sanboxing. Maybe these can be a checklist to ask ourselves "does sandboxing this feature require --priviliged?".

(1) host file system: mount all or part of it (related: optional chroot)
(2) environment variables: add all or part of it
(3) special paths (/proc, /dev, etc)
(4) ASLR
(5) user-namespace
(6) PID namespace
(7) mount namespace -- re: ability to bindmount
(8) network — allow or disallow (or, record in the case of fingerprinter)

[rrnewton]

@wangbj - seccomp is actually not on that list of disabled by default, right? But we're still pretty screwed by ptrace being disabled.