[crac] RFR: Ignore open files in /var/lib/sss/mc [v4]

[Anton Kozlov]

On Tue, 7 Nov 2023 12:20:28 GMT, Radim Vansa <rvansa at openjdk.org> wrote:

>> I was considering different ways to fix this - there are actually two problems:
>> 1) how to detect that?
>> * This PR whitelisst all files in the directory (we could explicitly name `passwd`, `group`, `sid` and `initgroups`...)
>> * We could manually check all places in JDK that call `getpwuid*`, `getpwname*`, `getgrgid*`and `getgrname*` and maybe some other functions, and diff FDs opened before/after the call. However this a) has performance impact b) is prone to races
>> * Intercept the call: either catch syscalls (ptrace or seccomp), or patching `sss_open_cloexec` in memory, or preloading it? Rather complicated.
>> 2) what to do with the open FD?
>> * Current solution is to leave this up to CRIU (or another C/R engine). Again the simplest
>> * We could close this; the FD is `fstat`-validated later on, so this would cause errors from these functions. We would need to patch the library, de-initializing the implementation (also risky).
>> 
>> Normally I would try to include a testcase but given that this is system-dependent (and the issue does not appear even in CentOS Stream 9 container) I've only did manual testing.
>
> Radim Vansa has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Add comment

src/hotspot/os/linux/globals_linux.hpp line 120:

> 118: // after calling getpwuid_r, getpwname_r, getgrgid_r, getgrname_r
> 119: // or other functions in this family.
> 120: define_pd_global(ccstrlist, CRAllowedOpenFilePrefixes, "/var/lib/sss/mc/");

This have to be replicated over all platforms, e.g. macos build is broken https://github.com/rvansa/crac/actions/runs/6784349063/job/18440498579

-------------

PR Review Comment: https://git.openjdk.org/crac/pull/137#discussion_r1384951160