From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B7189385480B; Fri, 10 Feb 2023 23:21:42 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B7189385480B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1676071302; bh=2FwbtLk0kJjqk5/ks72NRmKbxgxCR+v6Ju0mP0ymZDU=; h=From:To:Subject:Date:From; b=ZksvGjWvmdLifH01SoixQ9hYNpZyG++GzIFrwpqtLSJHoSgYLKzdYgS3ngEWRigWT 9j4ZrNHxZLHIUJZZDHQOE7MuqD3WHupVf5U4a0iWweB6t89uLhBXrALgPlvwgk5lL3 l7tK2bpxbwz0Ku00YuJwwieHUpvnIZIexmc+fAVQ= From: "twhitehead at gmail dot com" To: gdb-prs@sourceware.org Subject: [Bug gdb/30113] New: Different namespaces under linux now require extra capabilities even when not strictly needed (regression) Date: Fri, 10 Feb 2023 23:21:39 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: gdb X-Bugzilla-Version: 7.10 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: twhitehead at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30113 Bug ID: 30113 Summary: Different namespaces under linux now require extra capabilities even when not strictly needed (regression) Product: gdb Version: 7.10 Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdb Assignee: unassigned at sourceware dot org Reporter: twhitehead at gmail dot com Target Milestone: --- Created attachment 14675 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D14675&action=3Ded= it Patch to fallback to trying direct if unable to enter target's namespace du= e to insufficient permissions I ran into a regression trying to attach to and debug a hung process on the= one of the Canadian super computer system. Newer gdbs kept giving a confusing e= rror message about operation not permitted when opening the executable and refus= ed to load the symbol information while older ones worked okay. [tyson@gra120 ~]$ gdb -p 26848 GNU gdb (Gentoo 9.1 vanilla) 9.1 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word". Attaching to process 26848 [New LWP 26849] [New LWP 26850] [New LWP 26852] warning: "target:/project/6001152/issm5/bin/issm.exe": could not open as an executable file: Operation not permitted. warning: `target:/project/6001152/issm5/bin/issm.exe': can't open to read symbols: Operation not permitted. warning: Could not load vsyscall page because no executable was specified 0x00002b2741a5d64d in ?? () (gdb)=20 After a lot of digging around and the help of my colleague Bart Oldeman compiling and trying a lot of different gdb versions, we eventually traced = it down to the introduction of the linux namespace code in 7.10. This code seems to assumes that different namespace automatically mean there are containers and that target paths will not valid outside of their contai= ner namespace. This isn't universally true. In the super computer world, the SL= URM scheduler runs jobs in a separate namespaces and cgroups for reasons of resource control. The target paths are perfectly valid outside of the targe= t, and sysadmins are not happy about the idea of handing out extra capabilitie= s. I have done up a short patch and attached it to restore the previous behavi= our of just directly trying to use the targets paths as a fallback if setns fai= ls due to lacking capabilities. This resolves the issue for us. Possibly a war= ning should be issued, so container users know they need to run with elevated capabilities, but, not being familiar with the gdb code base, I wasn't clea= r on how best that would be done. Thanks! Tyson --=20 You are receiving this mail because: You are on the CC list for the bug.=