On Mon, 3 Jun 2024 23:07:00 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with two
>> additional commits since the last revision:
>>
>> - Remove unused `SELF_PID_NS`
>> - Rewrite in line with suggestion from Larry Cabl
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with one
additional commit since the last revision:
Add test for the elevated privileges case
-
Changes:
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Wed, 22 May 2024 19:04:22 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with two
>> additional commits since the last revision:
>>
>> - Remove unused `SELF_PID_NS`
>> - Rewrite in line with suggestion from Larry
On Wed, 22 May 2024 18:40:00 GMT, Larry Cable wrote:
> I haven't but I will BTW which linux capabilities should be enabled in order
> to prevent a /proc/... style attach due to lack of permissions to access
> target's /proc fs? Rgds - Larry
I know for sure that `CAP_NET_BIND_SERVICE` prevents
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 21:06:22 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with two
>> additional commits since the last revision:
>>
>> - Remove unused `SELF_PID_NS`
>> - Rewrite in line with suggestion from Larry Cab
On Mon, 6 May 2024 18:31:06 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Reworked attach logic
>
> On 5/6/24 10:35 AM, Sebastian Lövdahl wrote:
>
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with two
additional commits since the last revision:
- Remove unused `SELF_PID_NS`
- Rewrite in line with suggestion from
On Sun, 12 May 2024 18:38:34 GMT, Sebastian Lövdahl wrote:
> In these cases, is it not a requirement that jcmd is run as root? So even if
> the target process is run with elevated privileges, attaching would always
> work. Or is there some way to attach from host to container with a
On Mon, 6 May 2024 18:31:06 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Reworked attach logic
>
> On 5/6/24 10:35 AM, Sebastian Lövdahl wrote:
>
On Mon, 6 May 2024 17:29:05 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit si
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with one
additional commit since the last revision:
Reworked attach logic
-
Changes:
- all:
On Fri, 3 May 2024 17:40:54 GMT, jdoylei wrote:
> > I think it boils down to the same reason as why the fix for JDK-8226919 was
> > needed in the first place - a non-root user cannot read the symlinks in
> > `/proc//ns` for a process running with more privileges even though
> > it's run by
h elevated privs
and it exists) return "/tmp" which may still fail because they are in
fact not in the same mnt ns
what about /proc//cwd?
- Larry
On 5/3/24 9:43 AM, Sebastian Lövdahl wrote:
Thanks for the patch @larry-cable
<https://urldefense.com/v3/__https://github.com/larry-ca
On Thu, 2 May 2024 10:13:51 GMT, Sebastian Lövdahl wrote:
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Thanks for the patch @larry-cable, much appreciated! I really like this idea.
I tried it out a bit locally. These cases seem t
On Thu, 2 May 2024 10:13:51 GMT, Sebastian Lövdahl wrote:
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Ran the following tests locally:
$ make test TEST="jtreg:test/hotspot/jtreg/containers"
...
===
On Thu, 2 May 2024 10:13:51 GMT, Sebastian Lövdahl wrote:
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
This is a first stab at fixing the regression introduced in #17628. There has
been a bit of discussion in
https://mail.openj
8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
-
Commit messages:
- 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
Changes: https://git.openjdk.org/jdk/pull/19055/files
Webrev:
ree that these are the types of choices available?
Thanks,
Jim
--
Sebastian Lövdahl
Software Architect, Hibox Systems - https://www.hibox.tv
sebastian.lovd...@hibox.tv
On Wed, 1 May 2024 17:30:05 GMT, Larry Cable wrote:
>> src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java line
>> 217:
>>
>>> 215: // Instead, attach relative to the target root filesystem as
>>> exposed by
>>> 216: // procfs regardless of namespaces.
>>>
On Fri, 1 Mar 2024 15:22:51 GMT, jdoylei wrote:
>> Logged https://bugs.openjdk.org/browse/JDK-8327114 for investigation.
>> Thanks @jdoylei !
>
> @kevinjwalls - Perfect, thank you for opening the JBS bug!
Thanks for the detailed write-up, @jdoylei! I'm sorry to have introduced a
regression
roach and for not doing it.
Thoughts about this? I could try to give it a look if you think it makes
sense.
Best regards,
--
Sebastian Lövdahl
Senior Software Engineer, Hibox Systems - https://www.hibox.tv
sebastian.lovd...@hibox.tv
On Fri, 9 Feb 2024 18:22:47 GMT, Kevin Walls wrote:
>> Alright, sounds good to me. :) Thanks again for taking a look!
>>
>>> One other thing - JDK-8226919 looks like the original bug for this, logged
>>> a few years back, so if this fixes both, the record should show that it
>>> fixes that
On Tue, 30 Jan 2024 10:47:22 GMT, Sebastian Lövdahl wrote:
> 8226919: attach in linux hangs due to permission denied accessing
> /proc/pid/root
This pull request has now been integrated.
Changeset: ac4607ed
Author:Sebastian Lövdahl
Committer: Kevin Walls
URL:
On Tue, 30 Jan 2024 10:47:22 GMT, Sebastian Lövdahl wrote:
> 8307977: jcmd and jstack broken for target processes running with elevated
> capabilities
Alright, sounds good to me. :) Thanks again for taking a look!
> One other thing - JDK-8226919 looks like the original bug for thi
On Tue, 6 Feb 2024 17:08:43 GMT, Kevin Walls wrote:
> Does CAP_NET_BIND_SERVICE cause any issues for createAttachFile(int pid, int
> ns_pid) where it creates the .attach file in the current directory - it
> starts by trying "/proc/" + pid + "/cwd/" + ".attach_pid" + ns_pid,
> regardless of
On Wed, 31 Jan 2024 10:01:37 GMT, Severin Gehwolf wrote:
> Thanks! Please make sure that the tests actually ran. If, for example, docker
> is not installed, they get skipped.
Ah, good point. Running the tests did take some amount of time, so it felt like
they did something. And by spamming
On Tue, 30 Jan 2024 17:00:16 GMT, Bernd Eckenfels
wrote:
> Is that actually safe to allow low priveledged user context to attach and
> control to a higher prived? It can at least overwrite files, but probably
> also inject code? On the native level a ptrace(2) would probably not be
>
On Tue, 30 Jan 2024 13:57:43 GMT, Severin Gehwolf wrote:
>> 8307977: jcmd and jstack broken for target processes running with elevated
>> capabilities
>
> `test/hotspot/jtreg/serviceability` tests would also be worth running.
Hi @jerboaa, thanks a lot for the hints! The container tests were
On Tue, 30 Jan 2024 10:47:22 GMT, Sebastian Lövdahl wrote:
> 8307977: Fix dynamic attach to processes with elevated capabilities on Linux
I have poked around in the JDK sources but not found any tests related to this.
Is there some prior art to look at?
Anyway, this is how I reprodu
8307977: Fix dynamic attach to processes with elevated capabilities on Linux
-
Commit messages:
- 8307977: Fix dynamic attach to processes with elevated capabilities on Linux
Changes: https://git.openjdk.org/jdk/pull/17628/files
Webrev:
via
/proc/pid/root/tmp/.java_pid.
First of all, is there consensus that this should be fixed? If yes, are
there any flaws in the
analysis above?
Best regards,
Sebastian Lövdahl
34 matches
Mail list logo
