+++ /dev/null
-/*
- * Copyright 2016 Andrei Pangin
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <sys/syscall.h>
-#include <dirent.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <signal.h>
-#include <time.h>
-#include <unistd.h>
-
-#define MAX_PATH 1024
-#define TMP_PATH (MAX_PATH - 64)
-
-static char temp_path_storage[TMP_PATH] = {0};
-
-
-#ifdef __linux__
-
-const char* get_temp_path() {
- return temp_path_storage;
-}
-
-int get_process_info(int pid, uid_t* uid, gid_t* gid, int* nspid) {
- // A process may have its own root path (when running in chroot environment)
- char path[64];
- snprintf(path, sizeof(path), "/proc/%d/root", pid);
-
- // Append /tmp to the resolved root symlink
- ssize_t path_size = readlink(path, temp_path_storage, sizeof(temp_path_storage) - 10);
- strcpy(temp_path_storage + (path_size > 1 ? path_size : 0), "/tmp");
-
- // Parse /proc/pid/status to find process credentials
- snprintf(path, sizeof(path), "/proc/%d/status", pid);
- FILE* status_file = fopen(path, "r");
- if (status_file == NULL) {
- return 0;
- }
-
- char* line = NULL;
- size_t size;
-
- while (getline(&line, &size, status_file) != -1) {
- if (strncmp(line, "Uid:", 4) == 0) {
- // Get the effective UID, which is the second value in the line
- *uid = (uid_t)atoi(strchr(line + 5, '\t'));
- } else if (strncmp(line, "Gid:", 4) == 0) {
- // Get the effective GID, which is the second value in the line
- *gid = (gid_t)atoi(strchr(line + 5, '\t'));
- } else if (strncmp(line, "NStgid:", 7) == 0) {
- // PID namespaces can be nested; the last one is the innermost one
- *nspid = atoi(strrchr(line, '\t'));
- }
- }
-
- free(line);
- fclose(status_file);
- return 1;
-}
-
-int enter_mount_ns(int pid) {
-#ifdef __NR_setns
- char path[128];
- snprintf(path, sizeof(path), "/proc/%d/ns/mnt", pid);
-
- struct stat oldns_stat, newns_stat;
- if (stat("/proc/self/ns/mnt", &oldns_stat) == 0 && stat(path, &newns_stat) == 0) {
- // Don't try to call setns() if we're in the same namespace already
- if (oldns_stat.st_ino != newns_stat.st_ino) {
- int newns = open(path, O_RDONLY);
- if (newns < 0) {
- return 0;
- }
-
- // Some ancient Linux distributions do not have setns() function
- int result = syscall(__NR_setns, newns, 0);
- close(newns);
- return result < 0 ? 0 : 1;
- }
- }
-#endif // __NR_setns
-
- return 1;
-}
-
-// The first line of /proc/pid/sched looks like
-// java (1234, #threads: 12)
-// where 1234 is the required host PID
-int sched_get_host_pid(const char* path) {
- static char* line = NULL;
- size_t size;
- int result = -1;
-
- FILE* sched_file = fopen(path, "r");
- if (sched_file != NULL) {
- if (getline(&line, &size, sched_file) != -1) {
- char* c = strrchr(line, '(');
- if (c != NULL) {
- result = atoi(c + 1);
- }
- }
- fclose(sched_file);
- }
-
- return result;
-}
-
-// Linux kernels < 4.1 do not export NStgid field in /proc/pid/status.
-// Fortunately, /proc/pid/sched in a container exposes a host PID,
-// so the idea is to scan all container PIDs to find which one matches the host PID.
-int alt_lookup_nspid(int pid) {
- int namespace_differs = 0;
- char path[300];
- snprintf(path, sizeof(path), "/proc/%d/ns/pid", pid);
-
- // Don't bother looking for container PID if we are already in the same PID namespace
- struct stat oldns_stat, newns_stat;
- if (stat("/proc/self/ns/pid", &oldns_stat) == 0 && stat(path, &newns_stat) == 0) {
- if (oldns_stat.st_ino == newns_stat.st_ino) {
- return pid;
- }
- namespace_differs = 1;
- }
-
- // Otherwise browse all PIDs in the namespace of the target process
- // trying to find which one corresponds to the host PID
- snprintf(path, sizeof(path), "/proc/%d/root/proc", pid);
- DIR* dir = opendir(path);
- if (dir != NULL) {
- struct dirent* entry;
- while ((entry = readdir(dir)) != NULL) {
- if (entry->d_name[0] >= '1' && entry->d_name[0] <= '9') {
- // Check if /proc/<container-pid>/sched points back to <host-pid>
- snprintf(path, sizeof(path), "/proc/%d/root/proc/%s/sched", pid, entry->d_name);
- if (sched_get_host_pid(path) == pid) {
- closedir(dir);
- return atoi(entry->d_name);
- }
- }
- }
- closedir(dir);
- }
-
- if (namespace_differs) {
- printf("WARNING: couldn't find container pid of the target process\n");
- }
-
- return pid;
-}
-
-#elif defined(__APPLE__)
-
-#include <sys/sysctl.h>
-
-// macOS has a secure per-user temporary directory
-const char* get_temp_path() {
- if (temp_path_storage[0] == 0) {
- int path_size = confstr(_CS_DARWIN_USER_TEMP_DIR, temp_path_storage, sizeof(temp_path_storage));
- if (path_size == 0 || path_size > sizeof(temp_path_storage)) {
- strcpy(temp_path_storage, "/tmp");
- }
- }
-
- return temp_path_storage;
-}
-
-int get_process_info(int pid, uid_t* uid, gid_t* gid, int* nspid) {
- int mib[4] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
- struct kinfo_proc info;
- size_t len = sizeof(info);
-
- if (sysctl(mib, 4, &info, &len, NULL, 0) < 0 || len <= 0) {
- return 0;
- }
-
- *uid = info.kp_eproc.e_ucred.cr_uid;
- *gid = info.kp_eproc.e_ucred.cr_gid;
- *nspid = pid;
- return 1;
-}
-
-// This is a Linux-specific API; nothing to do on macOS and FreeBSD
-int enter_mount_ns(int pid) {
- return 1;
-}
-
-// Not used on macOS and FreeBSD
-int alt_lookup_nspid(int pid) {
- return pid;
-}
-
-#else // __FreeBSD__
-
-#include <sys/sysctl.h>
-#include <sys/user.h>
-
-const char* get_temp_path() {
- return "/tmp";
-}
-
-int get_process_info(int pid, uid_t* uid, gid_t* gid, int* nspid) {
- int mib[4] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
- struct kinfo_proc info;
- size_t len = sizeof(info);
-
- if (sysctl(mib, 4, &info, &len, NULL, 0) < 0 || len <= 0) {
- return 0;
- }
-
- *uid = info.ki_uid;
- *gid = info.ki_groups[0];
- *nspid = pid;
- return 1;
-}
-
-// This is a Linux-specific API; nothing to do on macOS and FreeBSD
-int enter_mount_ns(int pid) {
- return 1;
-}
-
-// Not used on macOS and FreeBSD
-int alt_lookup_nspid(int pid) {
- return pid;
-}
-
-#endif
-
-
-// Check if remote JVM has already opened socket for Dynamic Attach
-static int check_socket(int pid) {
- char path[MAX_PATH];
- snprintf(path, sizeof(path), "%s/.java_pid%d", get_temp_path(), pid);
-
- struct stat stats;
- return stat(path, &stats) == 0 && S_ISSOCK(stats.st_mode);
-}
-
-// Check if a file is owned by current user
-static int check_file_owner(const char* path) {
- struct stat stats;
- if (stat(path, &stats) == 0 && stats.st_uid == geteuid()) {
- return 1;
- }
-
- // Some mounted filesystems may change the ownership of the file.
- // JVM will not trust such file, so it's better to remove it and try a different path
- unlink(path);
- return 0;
-}
-
-// Force remote JVM to start Attach listener.
-// HotSpot will start Attach listener in response to SIGQUIT if it sees .attach_pid file
-static int start_attach_mechanism(int pid, int nspid) {
- char path[MAX_PATH];
- snprintf(path, sizeof(path), "/proc/%d/cwd/.attach_pid%d", nspid, nspid);
-
- int fd = creat(path, 0660);
- if (fd == -1 || (close(fd) == 0 && !check_file_owner(path))) {
- // Failed to create attach trigger in current directory. Retry in /tmp
- snprintf(path, sizeof(path), "%s/.attach_pid%d", get_temp_path(), nspid);
- fd = creat(path, 0660);
- if (fd == -1) {
- return 0;
- }
- close(fd);
- }
-
- // We have to still use the host namespace pid here for the kill() call
- kill(pid, SIGQUIT);
-
- // Start with 20 ms sleep and increment delay each iteration
- struct timespec ts = {0, 20000000};
- int result;
- do {
- nanosleep(&ts, NULL);
- result = check_socket(nspid);
- } while (!result && (ts.tv_nsec += 20000000) < 300000000);
-
- unlink(path);
- return result;
-}
-
-// Connect to UNIX domain socket created by JVM for Dynamic Attach
-static int connect_socket(int pid) {
- int fd = socket(PF_UNIX, SOCK_STREAM, 0);
- if (fd == -1) {
- return -1;
- }
-
- struct sockaddr_un addr;
- addr.sun_family = AF_UNIX;
- int bytes = snprintf(addr.sun_path, sizeof(addr.sun_path), "%s/.java_pid%d", get_temp_path(), pid);
- if (bytes >= sizeof(addr.sun_path)) {
- addr.sun_path[sizeof(addr.sun_path) - 1] = 0;
- }
-
- if (connect(fd, (struct sockaddr*)&addr, sizeof(addr)) == -1) {
- close(fd);
- return -1;
- }
- return fd;
-}
-
-// Send command with arguments to socket
-static int write_command(int fd, int argc, char** argv) {
- // Protocol version
- if (write(fd, "1", 2) <= 0) {
- return 0;
- }
-
- int i;
- for (i = 0; i < 4; i++) {
- const char* arg = i < argc ? argv[i] : "";
- if (write(fd, arg, strlen(arg) + 1) <= 0) {
- return 0;
- }
- }
- return 1;
-}
-
-// Mirror response from remote JVM to stdout
-static int read_response(int fd) {
- char buf[8192];
- ssize_t bytes = read(fd, buf, sizeof(buf) - 1);
- if (bytes <= 0) {
- perror("Error reading response");
- return 1;
- }
-
- // First line of response is the command result code
- buf[bytes] = 0;
- int result = atoi(buf);
-
- do {
- fwrite(buf, 1, bytes, stdout);
- bytes = read(fd, buf, sizeof(buf));
- } while (bytes > 0);
-
- return result;
-}
-
-int main(int argc, char** argv) {
- if (argc < 3) {
- printf("jattach " JATTACH_VERSION " built on " __DATE__ "\n"
- "Copyright 2018 Andrei Pangin\n"
- "\n"
- "Usage: jattach <pid> <cmd> [args ...]\n");
- return 1;
- }
-
- int pid = atoi(argv[1]);
- if (pid == 0) {
- perror("Invalid pid provided");
- return 1;
- }
-
- uid_t my_uid = geteuid();
- gid_t my_gid = getegid();
- uid_t target_uid = my_uid;
- gid_t target_gid = my_gid;
- int nspid = -1;
- if (!get_process_info(pid, &target_uid, &target_gid, &nspid)) {
- fprintf(stderr, "Process %d not found\n", pid);
- return 1;
- }
-
- if (nspid < 0) {
- nspid = alt_lookup_nspid(pid);
- }
-
- // Make sure our /tmp and target /tmp is the same
- if (!enter_mount_ns(pid)) {
- printf("WARNING: couldn't enter target process mnt namespace\n");
- }
-
- // Dynamic attach is allowed only for the clients with the same euid/egid.
- // If we are running under root, switch to the required euid/egid automatically.
- if ((my_gid != target_gid && setegid(target_gid) != 0) ||
- (my_uid != target_uid && seteuid(target_uid) != 0)) {
- perror("Failed to change credentials to match the target process");
- return 1;
- }
-
- // Make write() return EPIPE instead of silent process termination
- signal(SIGPIPE, SIG_IGN);
-
- if (!check_socket(nspid) && !start_attach_mechanism(pid, nspid)) {
- perror("Could not start attach mechanism");
- return 1;
- }
-
- int fd = connect_socket(nspid);
- if (fd == -1) {
- perror("Could not connect to socket");
- return 1;
- }
-
- printf("Connected to remote JVM\n");
- if (!write_command(fd, argc - 2, argv + 2)) {
- perror("Error writing to socket");
- close(fd);
- return 1;
- }
-
- printf("Response code = ");
- fflush(stdout);
-
- int result = read_response(fd);
- printf("\n");
- close(fd);
-
- return result;
-}
projects / sven / jattach.git / blobdiff