RFR: 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container) [v3]

Sebastian Lövdahl duke at openjdk.org
Sun Jun 2 16:04:08 UTC 2024 

On Wed, 22 May 2024 19:04:22 GMT, Larry Cable <duke at openjdk.org> wrote:

>> Sebastian Lövdahl has updated the pull request incrementally with two additional commits since the last revision:
>> 
>>  - Remove unused `SELF_PID_NS`
>>  - Rewrite in line with suggestion from Larry Cable
>
> On 5/22/24 11:58 AM, Sebastian Lövdahl wrote:
>>
>>     I haven't but I will BTW which linux capabilities should be
>>     enabled in order to prevent a /proc/... style attach due to lack
>>     of permissions to access target's /proc fs? Rgds - Larry
>>
>> I know for sure that |CAP_NET_BIND_SERVICE| prevents access to 
>> |/proc/<pid>/root| at least. I don't know if there's any distinction 
>> between the different privileges a process can have to be honest, but 
>> I somehow got the impression that having /any/ privilege restricts 
>> access to |/proc/<pid>/root| (among others). But right now I cannot 
>> recall what gave me that impression. There's a long list of 
>> capabilities though: 
>> https://man7.org/linux/man-pages/man7/capabilities.7.html 
>> <https://urldefense.com/v3/__https://man7.org/linux/man-pages/man7/capabilities.7.html__;!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0JV3zd5SA$>
>>
>>     it lives ...it lives!!!
>>
>>     I love it when a patch comes together!
>>
>>     :)
>>
>>     thx for testing this before my 1dt cup of coffee!
>>
>> Great feeling indeed! Ah, the best cup of the day, have a good one :)
>>
> 
> likewise Slainte Mhath!
> 
> - Larry
> 
>>>> Reply to this email directly, view it on GitHub 
>> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/pull/19055*issuecomment-2125541556__;Iw!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0JG0EA7Zg$>, 
>> or unsubscribe 
>> <https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/ANTA67VJZL3MIT2HANZ3BLDZDTTG7AVCNFSM6AAAAABHDNNTT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRVGU2DCNJVGY__;!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0IYrO2-pA$>.
>> You are receiving this because you were mentioned.Message ID: 
>> ***@***.***>
>>
> 
> --------------Rdb42IWaMAGxS5O004yPY6ws
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> <!DOCTYPE html><html><head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>   </head>
>   <body>
>     <br>
>     <br>
>     <div class="moz-cite-prefix">On 5/22/24 11:58 AM, Sebastian Lövdahl
>       wrote:<br>
>     </div>
>     <blockquote type="cite" ***@***.***">
>       
>       <blockquote>
>         <p dir="auto">I haven't but I will BTW which linux capabilities
>           should be enabled in order to prevent a /proc/... style attach
>           due to lack of permissions to access target's /pro...

@larry-cable gentle ping, did you get a chance to test it any further?

Maybe @jerboaa and/or @kevinjwalls that reviewed #17628 / [JDK-8226919](https://bugs.openjdk.org/browse/JDK-8226919) would like to take a look at this fix as well?

Maybe it's getting a bit late now, but it would be really awesome if we could get this to land before RDP 1 (on Thursday the 6th), so we avoid regressing any use-cases in the upcoming JDK 23.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/19055#issuecomment-2143912533

More information about the serviceability-dev mailing list