0

To enable profiling, intellij needs access to elevated kernel capabilities. It shows a dialog asking to open those features on the entire system. I'm trying to restrict the damage to the intellij process only

one item is kptr_restrict, which i can open to all (=0) (recommendation from intellij) or to processes with CAP_SYSLOG (=1).

When kptr_restrict is set to 0 (the default) the address is hashed before printing. (This is the equivalent to %p.)

When kptr_restrict is set to (1), kernel pointers printed using the %pK format specifier will be replaced with 0's unless the user has CAP_SYSLOG and effective user and group ids are equal to the real ids. [...]

[...] default is 2, always return 0's.

Since intellij runs from it's own java install, my first attempt was to sudo setcap 'CAP_SYSLOG+eip' ~/.local/share/JetBrains/Toolbox/apps/IDEA-U/ch-0/221.6008.13/jbr/bin/java

After doing all the steps to work around the failed ld.so error describe on https://unix.stackexchange.com/a/88001/497788

$ getcap ~/.local/share/JetBrains/Toolbox/apps/IDEA-U/ch-0/221.6008.13/jbr/bin/java
~/.local/share/JetBrains/Toolbox/apps/IDEA-U/ch-0/221.6008.13/jbr/bin/java  = cap_syslog+eip

$ ~/.local/share/JetBrains/Toolbox/apps/IDEA-U/ch-0/221.6008.13/jbr/bin/java ... com.intellij.idea.Main
(works)

$ getpcaps 12345 #java running intellij
12345 = cap_syslog+ep

$ sysctl kernel.kptr_restrict
kernel.kptr_restrict = 1

Everything seems to be in place. Try to profile an application: Still get the message about missing the kptr_restrict=0 ...wondering if intellij is just checking the value instead of trying to use it's powers? let's try that hypothesis. code seems to open /proc/kallsyms and look for specific lines. I'm guessing if it sees addresses there then it is assumed to be working? or does it look for some attribute on the kptr_restrict line? that code is not very clear to me. (End of detour)

get the PID of the java process running the application to be profiled:

$ getpcaps 12999
12999: =

(hummm.... no caps)
$ ps -o ppid= -p 117385
 12345

$ getpcaps 12345
 12345: = cap_syslog+ep

Q1: why getpcaps doesn't show Inheritable, but only cap_syslog+ep, but getcap shows cap_syslog+eip?

Q2: why the child process of 12345 doesn't inherit cap_syslog?

Well, let's ignore the inheritance and also add the capability to the child java process (which is a different binary)

sudo setcap 'CAP_SYSLOG+ep' ~/.jdks/temurin-1.8.0_332/bin/java

It works fine. Restart everything. Same failure.

Even tried to catch any java process being spawned out of those binaries with while true; do for p in $(ps aux | grep java | grep -v grep | awk '{print $2}'); do getpcaps $p; done; done and never saw any line without "cap_syslog+ep"

Q3. what's the right way to get this to work?

gabriel
  • 147
  • 1
  • 9
  • 1
    Very curious to know why on earth they would need access to kernel pointers printed in syslog for profiling. That's some very bad design to say the least. Anyway, you can try two things: run the program with [`capsh`](https://manned.org/capsh.1), or with `sudo` as root, or even run it under `strace -f` to see if it opens and reads `/proc/sys/kernel/kptr_restrict` before complaining and exiting or does other strange stuff. – Marco Bonelli Aug 12 '22 at 11:38
  • 1
    File `'i'` inheritable capabilities don't work the way you think. There is a write-up on how the various forms of [inheritance](https://sites.google.com/site/fullycapable/inheriting-privilege) work on the `libcap` distribution website. – Tinkerer Aug 12 '22 at 14:59

0 Answers0