On Wed, 22 May 2024 18:40:00 GMT, Larry Cable <d...@openjdk.org> wrote:
> I haven't but I will BTW which linux capabilities should be enabled in order > to prevent a /proc/... style attach due to lack of permissions to access > target's /proc fs? Rgds - Larry I know for sure that `CAP_NET_BIND_SERVICE` prevents access to `/proc/<pid>/root` at least. I don't know if there's any distinction between the different privileges a process can have to be honest, but I somehow got the impression that having _any_ privilege restricts access to `/proc/<pid>/root` (among others). But right now I cannot recall what gave me that impression. There's a long list of capabilities though: https://man7.org/linux/man-pages/man7/capabilities.7.html > it lives ...it lives!!! > > I love it when a patch comes together! > > :) > > thx for testing this before my 1dt cup of coffee! Great feeling indeed! Ah, the best cup of the day, have a good one :) ------------- PR Comment: https://git.openjdk.org/jdk/pull/19055#issuecomment-2125541556
