RFR: 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container) [v7]
Larry Cable
duke at openjdk.org
Tue Oct 1 20:12:50 UTC 2024
On Sun, 29 Sep 2024 06:23:34 GMT, Sebastian Lövdahl <duke at openjdk.org> wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains eight additional commits since the last revision:
>
> - Merge remote-tracking branch 'upstream/master' into 8327114-attach-from-container-to-container
> - Clarify PID 1 check with comment
> - Adapt code style
> - Add test for the elevated privileges case
> - Remove unused `SELF_PID_NS`
> - Rewrite in line with suggestion from Larry Cable
> - Reworked attach logic
> - 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container)
I believe we need to wrap the readlink() in an AccessController.doPrivileged() block ... something like this:
`
try {
targetMountNS = AccessController.doPrivileged(
(PrivilegedExceptionAction<Optional<Path>>) () -> Optional.ofNullable(Files.readSymbolicLink(procPidPath.resolve(NS_MNT)))
);
} catch (PrivilegedActionException _) {
// ...
}
`
-------------
PR Comment: https://git.openjdk.org/jdk/pull/19055#issuecomment-2386973409
More information about the serviceability-dev
mailing list