On Tue, 30 Jan 2024 12:13:05 GMT, Per Lundberg <d...@openjdk.org> wrote:

>> 8226919: attach in linux hangs due to permission denied accessing 
>> /proc/pid/root
>
> src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java line 
> 217:
> 
>> 215:         // Instead, attach relative to the target root filesystem as 
>> exposed by
>> 216:         // procfs regardless of namespaces.
>> 217:         String root = "/proc/" + pid + "/root/" + tmpdir;
> 
> Helping myself and other future readers understand this: the problem with the 
> previous implementation is that the code _assumed_ that the tmpdir could be 
> accessed this way (`/proc/<pid>/root/<tmpdir>`). In other words:
> 
> * The code for creating the socket would correctly check if `pid != ns_pid` 
> and then act accordingly (`/proc/<pid>/root/<tmpdir>` or just plain 
> `<tmpdir>`)
> * The code for reading the socket would not have the check the above. It 
> would resort to always use `/proc/<pid>/root/<tmpdir>`.
> * For certain scenarios (`CAP_NET_BIND_SERVICE`-processes, as described in 
> https://github.com/openjdk/jdk/pull/17628#issuecomment-1916589081), we would 
> get a `Permission denied` when trying to access the temporary directory like 
> this.
> 
> What this PR does is to ensure that the same `pid != ns_pid` check is used 
> both when creating and reading the socket, and fall back to `<tmpdir>` when 
> no namespacing is being used. This seems to work better for these processes 
> with elevated permissions.

should it not be comparing pid namespace ids and not pids?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/17628#discussion_r1586542476

Reply via email to