RFR: 8341482: Attach API access to /proc filesystem should use doPrivileged [v2]

Sebastian Lövdahl duke at openjdk.org
Tue Oct 15 19:08:13 UTC 2024 

On Wed, 2 Oct 2024 21:15:11 GMT, Larry Cable <duke at openjdk.org> wrote:

>> this is a fix to: https://bugs.openjdk.org/browse/JDK-8327114 
>> 
>> to resolve an issue detected in: 
>> 
>> https://bugs.openjdk.org/browse/JDK-8341246
>> 
>> /proc/**/* file accesses should be performed as "privileged" actions to avoid security mgr exceptions.
>
> Larry Cable has updated the pull request incrementally with one additional commit since the last revision:
> 
>   JDK-8327114: fix to resolve permissions issue as per: 8341246, also privileged exists and isReadable invocations

Thanks @larry-cable for looking into this!

The following test passes on my Ubuntu 24.04 with this PR at least.

`TestJcmdWithSideCar` with Docker:

make test TEST="jtreg:test/hotspot/jtreg/containers/docker/TestJcmdWithSideCar.java" JTREG="JAVA_OPTIONS=-Djdk.test.container.command=docker"


`TestJcmdWithSideCar` with Podman:

make test TEST="jtreg:test/hotspot/jtreg/containers/docker/TestJcmdWithSideCar.java" JTREG="JAVA_OPTIONS=-Djdk.test.container.command=podman"



make test TEST="jtreg:test/hotspot/jtreg/containers"
make test TEST="jtreg:test/hotspot/jtreg/serviceability"


FWIW, the `SecurityManager` PR (#21498) has been opened now. Ideally we would get this one in before it's merged.

src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java line 70:

> 68:     @FunctionalInterface
> 69:     private interface IOFunction<T, R> {
> 70:       public R apply(T t) throws IOException;

Minor nit, indentation is a bit off compared to the rest of the file:

Suggestion:

        public R apply(T t) throws IOException;

src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java line 76:

> 74:     private static <R> R filesFunctionPrivileged(IOFunction<Path, R> function, final Path path, Supplier<R> def) throws IOException {
> 75:       try {
> 76:         return AccessController.doPrivileged((PrivilegedExceptionAction<R>) () -> function.apply(path));

Ditto:

Suggestion:

          return AccessController.doPrivileged((PrivilegedExceptionAction<R>) () -> function.apply(path));

-------------

Marked as reviewed by slovdahl at github.com (no known OpenJDK username).

PR Review: https://git.openjdk.org/jdk/pull/21312#pullrequestreview-2370283806
PR Review Comment: https://git.openjdk.org/jdk/pull/21312#discussion_r1801747382
PR Review Comment: https://git.openjdk.org/jdk/pull/21312#discussion_r1801750306

More information about the serviceability-dev mailing list