RFR: 8307977: jcmd and jstack broken for target processes running with elevated capabilities
Kevin Walls
kevinw at openjdk.org
Thu Feb 8 14:35:05 UTC 2024
On Tue, 30 Jan 2024 10:47:22 GMT, Sebastian Lövdahl <duke at openjdk.org> wrote:
> 8307977: jcmd and jstack broken for target processes running with elevated capabilities
Thanks, yes that's what I was thinking about.
I tested and think it's a good update to this change.
I tested setting
sudo setcap 'cap_net_bind_service=+ep' build/linux-x64/images/jdk/bin/java
..and then with jcmd I do see the EACCES on e.g. "/proc/27979/root/tmp/.java_pid27979"
I see the failure to attach, and I see it fixed by this change.
I also see the EACCESS on the .attach_pid file in cwd, e.g. in strace:
26682 open("/proc/26593/cwd/.attach_pid26593", O_RDWR|O_CREAT|O_EXCL, 0666 <unfinished ...>
...
26682 <... open resumed>) = -1 EACCES (Permission denied)
We catch this and retry in /tmp. But exactly as in your response, we can predict that and if not in a namespace, go straight to /tmp. I tested what you have there and it works well. Also tested that a new jcmd attaching to an older JDK, that still works.
One other thing - JDK-8226919 looks like the original bug for this, logged a few years back, so if this fixes both, the record should show that it fixes that one, and JDK-8307977 should be closed as a duplicate. I/somebody can take care of that JBS admin. But if this PR could be associated with only JDK-8226919 that would be simple.
Thanks! 8-)
-------------
PR Comment: https://git.openjdk.org/jdk/pull/17628#issuecomment-1934246614
More information about the serviceability-dev
mailing list