RFR: 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container)

Thu May 2 22:33:28 UTC 2024

diff --git 
a/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java 
b/src/jdk.attach/linux/classes/sun/tools/attach/V
irtualMachineImpl.java
index 81d4fd259ed..74bd60c791d 100644

--- a/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
+++ b/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
@@ -34,6 +34,7 @@
  import java.nio.file.Path;
  import java.nio.file.Paths;
  import java.nio.file.Files;
+import java.util.Optional;

  import static java.nio.charset.StandardCharsets.UTF_8;

@@ -47,7 +48,21 @@ public class VirtualMachineImpl extends 
HotSpotVirtualMachine {
      // will not be able to find all Hotspot processes.
      // Any changes to this needs to be synchronized with HotSpot.
      private static final String tmpdir = "/tmp";
+
+    private static final Optional<Path> MOUNT_NS;
+
+    static {
+        Path mountns = null;
+        try {
+            mountns = Files.readSymbolicLink(Path.of("/proc/self/ns/mnt"));
+        } catch (IOException ioe) {
+        } finally {
+            MOUNT_NS = Optional.ofNullable(mountns);
+        }
+    }
+
      String socket_path;
+
      /**
       * Attaches to the target VM
       */
@@ -236,7 +251,18 @@ private File createAttachFile(int pid, int ns_pid) 
throws IOException {

      private String findTargetProcessTmpDirectory(int pid, int ns_pid) 
throws IOException {
          String root;
-        if (pid != ns_pid) {
+
+        Optional<Path> tgtMountNS = Optional.empty();
+
+        try {
+            tgtMountNS = 
Optional.ofNullable(Files.readSymbolicLink(Path.of("/proc", 
Integer.toString(pid), "ns", "mnt")));
+        } catch (IOException _) {
+          // do nothing...
+        }
+
+    final boolean sameMountNS = MOUNT_NS.isPresent() && 
tgtMountNS.isPresent() && MOUNT_NS.equals(tgtMountNS);
+
+        if (!sameMountNS || pid != ns_pid) {
              // A process may not exist in the same mount namespace as 
the caller, e.g.
              // if we are trying to attach to a JVM process inside a 
container.
              // Instead, attach relative to the target root filesystem 
as exposed by
@@ -248,11 +274,11 @@ private String findTargetProcessTmpDirectory(int 
pid, int ns_pid) throws IOExcep
                            "of target process %d", procRootDirectory, 
pid));
              }

-            root = procRootDirectory + "/" + tmpdir;
-        } else {
-            root = tmpdir;
-        }
-        return root;
+            return procRootDirectory + "/" + tmpdir;
+        } else if (sameMountNS) {
+            return tmpdir;
+        } else
+        throw new IOException(String.format("target process:%d and this 
do not share common mount namespace for: %s attach faile
d", pid, tmpdir));
      }

      /*

