Re: RFR: 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container) [v3]

Larry Cable Wed, 22 May 2024 12:07:30 -0700

On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl <d...@openjdk.org> wrote:


>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid 
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two 
> additional commits since the last revision:
> 
>  - Remove unused `SELF_PID_NS`
>  - Rewrite in line with suggestion from Larry Cable

On 5/22/24 11:58 AM, Sebastian Lövdahl wrote:
>
>     I haven't but I will BTW which linux capabilities should be
>     enabled in order to prevent a /proc/... style attach due to lack
>     of permissions to access target's /proc fs? Rgds - Larry
>
> I know for sure that |CAP_NET_BIND_SERVICE| prevents access to 
> |/proc/<pid>/root| at least. I don't know if there's any distinction 
> between the different privileges a process can have to be honest, but 
> I somehow got the impression that having /any/ privilege restricts 
> access to |/proc/<pid>/root| (among others). But right now I cannot 
> recall what gave me that impression. There's a long list of 
> capabilities though: 
> https://man7.org/linux/man-pages/man7/capabilities.7.html 
> <https://urldefense.com/v3/__https://man7.org/linux/man-pages/man7/capabilities.7.html__;!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0JV3zd5SA$>
>
>     it lives ...it lives!!!
>
>     I love it when a patch comes together!
>
>     :)
>
>     thx for testing this before my 1dt cup of coffee!
>
> Great feeling indeed! Ah, the best cup of the day, have a good one :)
>

likewise Slainte Mhath!

- Larry

> —
> Reply to this email directly, view it on GitHub 
> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/pull/19055*issuecomment-2125541556__;Iw!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0JG0EA7Zg$>,
>  
> or unsubscribe 
> <https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/ANTA67VJZL3MIT2HANZ3BLDZDTTG7AVCNFSM6AAAAABHDNNTT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRVGU2DCNJVGY__;!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0IYrO2-pA$>.
> You are receiving this because you were mentioned.Message ID: 
> ***@***.***>
>

--------------Rdb42IWaMAGxS5O004yPY6ws
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
    <br>
    <br>
    <div class="moz-cite-prefix">On 5/22/24 11:58 AM, Sebastian Lövdahl
      wrote:<br>
    </div>
    <blockquote type="cite" ***@***.***">
      
      <blockquote>
        <p dir="auto">I haven't but I will BTW which linux capabilities
          should be enabled in order to prevent a /proc/... style attach
          due to lack of permissions to access target's /proc fs? Rgds -
          Larry</p>
      </blockquote>
      <p dir="auto">I know for sure that <code 
class="notranslate">CAP_NET_BIND_SERVICE</code>
        prevents access to <code 
class="notranslate">/proc/&lt;pid&gt;/root</code>
        at least. I don't know if there's any distinction between the
        different privileges a process can have to be honest, but I
        somehow got the impression that having <em>any</em> privilege
        restricts access to <code 
class="notranslate">/proc/&lt;pid&gt;/root</code>
        (among others). But right now I cannot recall what gave me that
        impression. There's a long list of capabilities though: <a 
href="https://urldefense.com/v3/__https://man7.org/linux/man-pages/man7/capabilities.7.html__;!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0JV3zd5SA$";
 rel="nofollow" 
moz-do-not-send="true">https://man7.org/linux/man-pages/man7/capabilities.7.html</a></p>
      <blockquote>
        <p dir="auto">it lives ...it lives!!!</p>
        <p dir="auto">I love it when a patch comes together!</p>
        <p dir="auto">:)</p>
        <p dir="auto">thx for testing this before my 1dt cup of coffee!</p>
      </blockquote>
      <p dir="auto">Great feeling indeed! Ah, the best cup of the day,
        have a good one :)</p>
    </blockquote>
    <br>
    likewise Slainte Mhath!<br>
    <br>
    - Larry<br>
    <br>
    <blockquote type="cite" ***@***.***">
      <p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>
        Reply to this email directly, <a 
href="https://urldefense.com/v3/__https://github.com/openjdk/jdk/pull/19055*issuecomment-2125541556__;Iw!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0JG0EA7Zg$";
 moz-do-not-send="true">view it on GitHub</a>, or <a 
href="https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/ANTA67VJZL3MIT2HANZ3BLDZDTTG7AVCNFSM6AAAAABHDNNTT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRVGU2DCNJVGY__;!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0IYrO2-pA$";
 moz-do-not-send="true">unsubscribe</a>.<br>
        You are receiving this because you were mentioned.<img 
src="https://github.com/notifications/beacon/ANTA67VXC2SXHYIOCXNVH3DZDTTG7A5CNFSM6AAAAABHDNNTT6WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTT6WEYLI.gif";
 alt="" moz-do-not-send="true" width="1" height="1"><span style="color: 
transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; 
opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: 
all">Message
          ID: 
<span>&lt;openjdk/jdk/pull/19055/c2125541556</span><span>@</span><span>github</span><span>.</span><span>com&gt;</span></span></p>
      <script type="application/ld+json">[
{
***@***.***": "http://schema.org";,
***@***.***": "EmailMessage",
"potentialAction": {
***@***.***": "ViewAction",
"target": "https://github.com/openjdk/jdk/pull/19055#issuecomment-2125541556";,
"url": "https://github.com/openjdk/jdk/pull/19055#issuecomment-2125541556";,
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
***@***.***": "Organization",
"name": "GitHub",
"url": "https://github.com";
}
}
]</script>
    </blockquote>
    <br>
  </body>
</html>

--------------Rdb42IWaMAGxS5O004yPY6ws--

-------------

PR Comment: https://git.openjdk.org/jdk/pull/19055#issuecomment-2125551168

Re: RFR: 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container) [v3]

Reply via email to