RFR: 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container) [v7]

[David Holmes]

On Sun, 29 Sep 2024 06:23:34 GMT, Sebastian Lövdahl <duke at openjdk.org> wrote:

>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains eight additional commits since the last revision:
> 
>  - Merge remote-tracking branch 'upstream/master' into 8327114-attach-from-container-to-container
>  - Clarify PID 1 check with comment
>  - Adapt code style
>  - Add test for the elevated privileges case
>  - Remove unused `SELF_PID_NS`
>  - Rewrite in line with suggestion from Larry Cable
>  - Reworked attach logic
>  - 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container)

We are seeing a number of test failures after this was integrated. Failing tests:
- containers/docker/TestJcmdWithSideCar.java
-  com/sun/tools/attach/PermissionTest.java
- 
I will file bugs, but the permission test fails because the new code throws a SecurityException when the SecurityManager is enabled:

Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/proc/self/ns/mnt" "readlink")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:1085)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
	at java.base/sun.nio.fs.UnixFileSystemProvider.readSymbolicLink(UnixFileSystemProvider.java:554)
	at java.base/java.nio.file.Files.readSymbolicLink(Files.java:1474)
	at jdk.attach/sun.tools.attach.VirtualMachineImpl.<clinit>(VirtualMachineImpl.java:66)

-------------

PR Comment: https://git.openjdk.org/jdk/pull/19055#issuecomment-2385009640