[libattach] misleading error message when checking gid fails

stuart nelson hi at stuartnelson.xyz
Fri Jan 7 11:33:55 UTC 2022


Hey,

First, apologies if this should be directed to a different mailing list, I didn't find one that seemed correct in the mailing lists (https://mail.openjdk.java.net/mailman/listinfo).

I was building up a syscall filters list for a java process for seccomp, when I encountered this error stack trace:

(elided)
Caused by: java.io.IOException: well-known file /proc/1974261/root/tmp/.java_pid1974261 is not secure: file's group should be the current group (which is -1) but the group is 1000
    at jdk.attach/sun.tools.attach.VirtualMachineImpl.checkPermissions(Native Method)
    at jdk.attach/sun.tools.attach.VirtualMachineImpl.<init>(VirtualMachineImpl.java:112)
    at jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:58)
    at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:207)
    ... 6 more

The error originates from this line:
https://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c#l167

The value for gid is found on this line:
https://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/jdk.attach/linux/native/libattach/VirtualMachineImpl.c#l150

The reason getegid() returns -1 is because it wasn't in my allowed syscalls list for seccomp, so EPERM (-1) was returned instead.

My question is: -1 is an invalid gid. Should this be checked in the code, and a more helpful error message returned? It could definitely save future developers time.

Stuart


More information about the jdk-dev mailing list