Bug#1034392: Acknowledgement (tomcat9: jstack/jcmd broken for non-root users with tomcat9+jdk11 or greater)

[Per Lundberg]

FYI: An OpenJDK bug regarding this has now been opened as well:
https://bugs.openjdk.org/browse/JDK-8307977
--
Best regards,
Per

Bug#1034392: Acknowledgement (tomcat9: jstack/jcmd broken for non-root users with tomcat9+jdk11 or greater)

[Per Lundberg]

On 2023-04-20 00:03, Vladimir Petko wrote:


Oh, thank you for providing a patch for a quite annoying bug


The pleasure is ours. :-) (I didn't write the patch myself but I helped
out a bit with the initial debugging)


Would it be possible to add a header to the patch, so that it is
possible to see where it came from and why, e.g.


Great suggestions - I have added the header as suggested to the patch.

As mentioned, we haven't tested this on JDK 11. If someone has the JDK
11 sources & build environment readily available, it would be great to
get it verified if it works there as well. (This does not hinder the
patch from being applied to JDK 17 already, from my POV.)
--
Best regards,
PerDescription: attach in linux hangs due to permission denied accessing /proc/pid/root
  The attach API uses /proc/pid/root in order to support containers.
  Dereferencing this symlink is governed by ptrace access mode PTRACE_MODE_READ_FSCREDS
  which may not succeed when running as the user running the JRE.
  This breaks running jcmd and jmap as the same user the JVM is running as.
  Use tmpdir when pid matches ns_pid.
Author: Sebastian Lövdahl 
Bug: https://bugs.openjdk.org/browse/JDK-8226919
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034601
Last-Update: 2023-04-18

From 36b554e2de46d77898be4d0feae0ee2171b445bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20L=C3=B6vdahl?= 
Date: Tue, 18 Apr 2023 12:50:32 +0300
Subject: [PATCH] 8226919: Fix dynamic attach in Linux for non-container
 environments

---
 .../sun/tools/attach/VirtualMachineImpl.java  | 37 ---
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java b/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
index 324e52235cb..605adc20157 100644
--- a/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
+++ b/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
@@ -209,11 +209,8 @@ public class VirtualMachineImpl extends HotSpotVirtualMachine {
 }

 // Return the socket file for the given process.
-private File findSocketFile(int pid, int ns_pid) {
-// A process may not exist in the same mount namespace as the caller.
-// Instead, attach relative to the target root filesystem as exposed by
-// procfs regardless of namespaces.
-String root = "/proc/" + pid + "/root/" + tmpdir;
+private File findSocketFile(int pid, int ns_pid) throws IOException {
+String root = findTargetProcessTmpDirectory(pid, ns_pid);
 return new File(root, ".java_pid" + ns_pid);
 }

@@ -229,21 +226,33 @@ public class VirtualMachineImpl extends HotSpotVirtualMachine {
 // Do not canonicalize the file path, or we will fail to attach to a VM in a container.
 f.createNewFile();
 } catch (IOException x) {
-String root;
-if (pid != ns_pid) {
-// A process may not exist in the same mount namespace as the caller.
-// Instead, attach relative to the target root filesystem as exposed by
-// procfs regardless of namespaces.
-root = "/proc/" + pid + "/root/" + tmpdir;
-} else {
-root = tmpdir;
-}
+String root = findTargetProcessTmpDirectory(pid, ns_pid);
 f = new File(root, fn);
 f.createNewFile();
 }
 return f;
 }

+private String findTargetProcessTmpDirectory(int pid, int ns_pid) throws IOException {
+String root;
+if (pid != ns_pid) {
+// A process may not exist in the same mount namespace as the caller.
+// Instead, attach relative to the target root filesystem as exposed by
+// procfs regardless of namespaces.
+String procRootDirectory = "/proc/" + pid + "/root";
+if (!Files.isReadable(Path.of(procRootDirectory))) {
+throw new IOException(
+String.format("Unable to access root directory %s " +
+  "of target process %d", procRootDirectory, pid));
+}
+
+root = procRootDirectory + "/" + tmpdir;
+} else {
+root = tmpdir;
+}
+return root;
+}
+
 /*
  * Write/sends the given to the target VM. String is transmitted in
  * UTF-8 encoding.
--
2.40.0

Bug#1034392: Acknowledgement (tomcat9: jstack/jcmd broken for non-root users with tomcat9+jdk11 or greater)

[Vladimir Petko]

Hi,

Oh, thank you for providing a patch for a quite annoying bug

Would it be possible to add a header to the patch, so that it is
possible to see where it came from and why, e.g.
---cut--
Description: attach in linux hangs due to permission denied accessing
/proc/pid/root
  The attach API uses /proc/pid/root in order to support containers.
  Dereferencing this symlink is governed by ptrace access mode
PTRACE_MODE_READ_FSCREDS
  which may not succeed when running as the user running the JRE.
  This breaks running jcmd and jmap as the same user the JVM is running as.
  Use tmpdir when pid matches ns_pid.
Author: Sebastian Lovdahl 
Bug: https://bugs.openjdk.org/browse/JDK-8226919
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034601
Last-Update: 2023-04-18
---cut--

Best Regards,
 Vladimir.

On Wed, Apr 19, 2023 at 9:57 PM Per Lundberg  wrote:
>
> On 2023-04-19 10:22, Thorsten Glaser wrote:
> > On Tue, 18 Apr 2023, Per Lundberg wrote:
> >
> >> wanted to share it with you as well. One option would be to include this in
> >> Debian's set of local JDK patches
> >
> > Shouldn’t this be added to 11 as well? Apparently, both are affected.
>
> Good point. Yes, it should.
>
> > The OpenJDK (except for 8 which the ELTS people and I mostly work on)
> > is not maintained by the debian-java people but by Doko.
>
> Hmm... who/what are Doko?
>
> > The usual way to hope for inclusion is to clone the bugreport, assign
> > one to src:openjdk-11 and the other to src:openjdk-17, mail the patch
> > with a description, add the tag patch and pray.
>
> Thanks for the detailed description! I have done exactly that now. Here
> are the new bugs (added to the Cc line as well):
>
> - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034600
> - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034601
>
> To those reading this who might not have the context: the patch attached
> to the previous message in this thread fixes an issue with jstack/cmd
> and similar tools not being able to connect to processes with Linux
> capabilities added to them, when the processes are running as non-root.
> This is a regression in the JDK:
> https://bugs.openjdk.org/browse/JDK-8226919
>
> The patch has been successfully tested on JDK 17 and works fine,
> according to our testing. No guarantees are given as to whether it works
> on JDK 11, but as long as it applies cleanly, it "should" be fine.
>
> Best regards,
> Per
>

Bug#1034392: Acknowledgement (tomcat9: jstack/jcmd broken for non-root users with tomcat9+jdk11 or greater)

[Per Lundberg]

On 2023-04-19 10:22, Thorsten Glaser wrote:

On Tue, 18 Apr 2023, Per Lundberg wrote:


wanted to share it with you as well. One option would be to include this in
Debian's set of local JDK patches


Shouldn’t this be added to 11 as well? Apparently, both are affected.


Good point. Yes, it should.


The OpenJDK (except for 8 which the ELTS people and I mostly work on)
is not maintained by the debian-java people but by Doko.


Hmm... who/what are Doko?


The usual way to hope for inclusion is to clone the bugreport, assign
one to src:openjdk-11 and the other to src:openjdk-17, mail the patch
with a description, add the tag patch and pray.


Thanks for the detailed description! I have done exactly that now. Here 
are the new bugs (added to the Cc line as well):


- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034600
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034601

To those reading this who might not have the context: the patch attached 
to the previous message in this thread fixes an issue with jstack/cmd

and similar tools not being able to connect to processes with Linux
capabilities added to them, when the processes are running as non-root.
This is a regression in the JDK:
https://bugs.openjdk.org/browse/JDK-8226919

The patch has been successfully tested on JDK 17 and works fine,
according to our testing. No guarantees are given as to whether it works
on JDK 11, but as long as it applies cleanly, it "should" be fine.

Best regards,
Per

Bug#1034392: Acknowledgement (tomcat9: jstack/jcmd broken for non-root users with tomcat9+jdk11 or greater)

[Thorsten Glaser]

On Tue, 18 Apr 2023, Per Lundberg wrote:

> A short update on this. This is a known regression in more recent versions of
> Java: https://bugs.openjdk.org/browse/JDK-8226919
>
> One of my colleagues (thanks, Sebastian!) managed to workaround this by
> patching the JDK 17 sources to make it use plain /tmp in this case (when 
> ns_pid
> == pid), and also added some better error handling in case this fails.
>
> We are currently working on getting this submitted upstream to OpenJDK, but I

That’s a good path.

> wanted to share it with you as well. One option would be to include this in
> Debian's set of local JDK patches

Shouldn’t this be added to 11 as well? Apparently, both are affected.

> but I don't know how conservative the project is re. fixes like this? I'll
> leave this up to the debian-java maintainers to decide.

The OpenJDK (except for 8 which the ELTS people and I mostly work on)
is not maintained by the debian-java people but by Doko.

The usual way to hope for inclusion is to clone the bugreport, assign
one to src:openjdk-11 and the other to src:openjdk-17, mail the patch
with a description, add the tag patch and pray.

bye,
//mirabilos
-- 
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg


/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against  Mit dem tarent-Newsletter nichts mehr verpassen:
 ╳  HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!

Bug#1034392: Acknowledgement (tomcat9: jstack/jcmd broken for non-root users with tomcat9+jdk11 or greater)

[Per Lundberg]

Hi,

A short update on this. This is a known regression in more recent 
versions of Java: https://bugs.openjdk.org/browse/JDK-8226919


One of my colleagues (thanks, Sebastian!) managed to workaround this by 
patching the JDK 17 sources to make it use plain /tmp in this case (when 
ns_pid == pid), and also added some better error handling in case this 
fails.


We are currently working on getting this submitted upstream to OpenJDK, 
but I wanted to share it with you as well. One option would be to 
include this in Debian's set of local JDK patches 
(https://salsa.debian.org/openjdk-team/openjdk/-/tree/master/debian/patches), 
but I don't know how conservative the project is re. fixes like this? 
I'll leave this up to the debian-java maintainers to decide.


Best regards,
Per--- a/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
+++ b/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
@@ -209,11 +209,8 @@ public class VirtualMachineImpl extends HotSpotVirtualMachine {
 }
 
 // Return the socket file for the given process.
-private File findSocketFile(int pid, int ns_pid) {
-// A process may not exist in the same mount namespace as the caller.
-// Instead, attach relative to the target root filesystem as exposed by
-// procfs regardless of namespaces.
-String root = "/proc/" + pid + "/root/" + tmpdir;
+private File findSocketFile(int pid, int ns_pid) throws IOException {
+String root = findTargetProcessTmpDirectory(pid, ns_pid);
 return new File(root, ".java_pid" + ns_pid);
 }
 
@@ -229,21 +226,33 @@ public class VirtualMachineImpl extends HotSpotVirtualMachine {
 // Do not canonicalize the file path, or we will fail to attach to a VM in a container.
 f.createNewFile();
 } catch (IOException x) {
-String root;
-if (pid != ns_pid) {
-// A process may not exist in the same mount namespace as the caller.
-// Instead, attach relative to the target root filesystem as exposed by
-// procfs regardless of namespaces.
-root = "/proc/" + pid + "/root/" + tmpdir;
-} else {
-root = tmpdir;
-}
+String root = findTargetProcessTmpDirectory(pid, ns_pid);
 f = new File(root, fn);
 f.createNewFile();
 }
 return f;
 }
 
+private String findTargetProcessTmpDirectory(int pid, int ns_pid) throws IOException {
+String root;
+if (pid != ns_pid) {
+// A process may not exist in the same mount namespace as the caller.
+// Instead, attach relative to the target root filesystem as exposed by
+// procfs regardless of namespaces.
+String procRootDirectory = "/proc/" + pid + "/root";
+if (!Files.isReadable(Path.of(procRootDirectory))) {
+throw new IOException(
+String.format("Unable to access root directory %s " +
+  "of target process %d", procRootDirectory, pid));
+}
+
+root = procRootDirectory + "/" + tmpdir;
+} else {
+root = tmpdir;
+}
+return root;
+}
+
 /*
  * Write/sends the given to the target VM. String is transmitted in
  * UTF-8 encoding.