On Wed, 22 May 2024 19:04:22 GMT, Larry Cable <d...@openjdk.org> wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with two >> additional commits since the last revision: >> >> - Remove unused `SELF_PID_NS` >> - Rewrite in line with suggestion from Larry Cable > > On 5/22/24 11:58 AM, Sebastian Lövdahl wrote: >> >> I haven't but I will BTW which linux capabilities should be >> enabled in order to prevent a /proc/... style attach due to lack >> of permissions to access target's /proc fs? Rgds - Larry >> >> I know for sure that |CAP_NET_BIND_SERVICE| prevents access to >> |/proc/<pid>/root| at least. I don't know if there's any distinction >> between the different privileges a process can have to be honest, but >> I somehow got the impression that having /any/ privilege restricts >> access to |/proc/<pid>/root| (among others). But right now I cannot >> recall what gave me that impression. There's a long list of >> capabilities though: >> https://man7.org/linux/man-pages/man7/capabilities.7.html >> <https://urldefense.com/v3/__https://man7.org/linux/man-pages/man7/capabilities.7.html__;!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0JV3zd5SA$> >> >> it lives ...it lives!!! >> >> I love it when a patch comes together! >> >> :) >> >> thx for testing this before my 1dt cup of coffee! >> >> Great feeling indeed! Ah, the best cup of the day, have a good one :) >> > > likewise Slainte Mhath! > > - Larry > >> — >> Reply to this email directly, view it on GitHub >> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/pull/19055*issuecomment-2125541556__;Iw!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0JG0EA7Zg$>, >> >> or unsubscribe >> <https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/ANTA67VJZL3MIT2HANZ3BLDZDTTG7AVCNFSM6AAAAABHDNNTT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRVGU2DCNJVGY__;!!ACWV5N9M2RV99hQ!OuFFfoYFVnGvARkAQ11WdUPoVHR3GXEc-XbeZfOWFHFrQAJxR6-suOx9_j-qekgTrr5V66CAb7K0i0zi_0IYrO2-pA$>. >> You are receiving this because you were mentioned.Message ID: >> ***@***.***> >> > > --------------Rdb42IWaMAGxS5O004yPY6ws > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: 8bit > > <!DOCTYPE html><html><head> > <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> > </head> > <body> > <br> > <br> > <div class="moz-cite-prefix">On 5/22/24 11:58 AM, Sebastian Lövdahl > wrote:<br> > </div> > <blockquote type="cite" ***@***.***"> > > <blockquote> > <p dir="auto">I haven't but I will BTW which linux capabilities > should be enabled in order to prevent a /proc/... style attach > due to lack of permissions to access target's /pro... @larry-cable gentle ping, did you get a chance to test it any further? Maybe @jerboaa and/or @kevinjwalls that reviewed #17628 / [JDK-8226919](https://bugs.openjdk.org/browse/JDK-8226919) would like to take a look at this fix as well? Maybe it's getting a bit late now, but it would be really awesome if we could get this to land before RDP 1 (on Thursday the 6th), so we avoid regressing any use-cases in the upcoming JDK 23. ------------- PR Comment: https://git.openjdk.org/jdk/pull/19055#issuecomment-2143912533
