RFR: 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container) [v2]
Kevin Walls
kevinw at openjdk.org
Thu Oct 3 08:42:35 UTC 2024
On Wed, 2 Oct 2024 21:15:11 GMT, Larry Cable <duke at openjdk.org> wrote:
>> this is a fix to: https://bugs.openjdk.org/browse/JDK-8327114
>>
>> to resolve an issue detected in:
>>
>> https://bugs.openjdk.org/browse/JDK-8341246
>>
>> /proc/**/* file accesses should be performed as "privileged" actions to avoid security mgr exceptions.
>
> Larry Cable has updated the pull request incrementally with one additional commit since the last revision:
>
> JDK-8327114: fix to resolve permissions issue as per: 8341246, also privileged exists and isReadable invocations
I tested and saw the permission problem in the test was fixed by the policy update. But it's correct that it should really have a doPrivileged call, in case this happens with a Security Manager, and there's untrusted code which then calls into attach (with whatever policy permits that to happen...).
While SM is planned for removal very soon, it would be good have the doPrivileged in the implementation so any backports can benefit.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/21312#issuecomment-2390845932
More information about the serviceability-dev
mailing list