diff options
| author | Hyotaek Shim <hyotaek.shim@samsung.com> | 2022-02-07 15:43:35 +0900 |
|---|---|---|
| committer | Hyotaek Shim <hyotaek.shim@samsung.com> | 2022-02-07 06:31:43 +0000 |
| commit | 0988bdea2b1a344da4dbc4da4b3e925bca15e2ee (patch) | |
| tree | 0b074c65d7045ff0af5ace97fc301a5fe61a826c | |
| parent | 1f6bcf8d5a686ed60d4177e6b32051852211cdde (diff) | |
| download | systemd-0988bdea2b1a344da4dbc4da4b3e925bca15e2ee.tar.gz systemd-0988bdea2b1a344da4dbc4da4b3e925bca15e2ee.tar.bz2 systemd-0988bdea2b1a344da4dbc4da4b3e925bca15e2ee.zip | |
Add cap_sys_chroot=i in user@.servicesubmit/tizen_6.5/20220207.065516accepted/tizen/6.5/unified/20220208.130741
[Problem]
Subject: FW: RE:(2) ~RE(3): [Debug Attach] Program Symbols Not Loading
+ Tomasz Swierczek
Hello Tomasz,
A problem has been reported that the "Debug Attach" function does not work in Tizen Studio.
(For more information, please refer to the mails below.)
This seems to be related to mount namespace separation operation.
If we revert https://review.tizen.org/gerrit/#/c/platform/core/appfw/launchpad/+/212712/ , it works well as expected.
It seems that the gdserver process requires setns operation to attach to the app process that is already in operation.
To solve this problem, capabilities need to be assigned to "gdserver" executable file, but it is pushed by tizen-studio
during the runtime of debugging, so "setcap" does not work because it has "sdk_user" permission.
There seems to be no solution at the moment, if you have any good ideas, please share them.
Thanks,
Jin-gyu Kim
[Solution]
Precondition : A. launchpad needs to know that the current request was made by the gdbserver.
B. launchpad needs to know the pid of the target app process.
1. Add "cap_sys_chroot" to launchpad process. (It should be also included in user@.service as an inheritable option.)
2. If the current request is executed by the gdbserver, it's namespace needs to be equal to the target app process by using setns().
- setns() requires the pid of target app process. (Please refer https://man7.org/linux/man-pages/man2/setns.2.html)
example : int fd = open("/proc/1234/ns/mnt", O_RDONLY); setns(fd,0); // "/proc/[pid]/ns/mnt"
- These must be executed before "security_manager_prepare_app()".
Change-Id: Ief42b5e40259fa074ec110cfac957508dcb468d3
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
(cherry picked from commit 3c7df46b0c0108f34fdc2de4cafe7384e07ea1a4)
| -rw-r--r-- | units/user@.service.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/units/user@.service.in b/units/user@.service.in index fe6603b9f6..fa1f78c59f 100644 --- a/units/user@.service.in +++ b/units/user@.service.in @@ -27,7 +27,7 @@ Delegate=pids memory TasksMax=infinity Environment=DBUS_SESSION_BUS_ADDRESS=kernel:path=/sys/fs/kdbus/%i-user/bus;unix:path=/run/user/%i/bus Environment=XDG_RUNTIME_DIR=/run/user/%i -Capabilities=cap_sys_admin,cap_mac_admin,cap_setgid,cap_dac_override=i +Capabilities=cap_sys_admin,cap_mac_admin,cap_setgid,cap_dac_override,cap_sys_chroot=i SecureBits=keep-caps TimeoutStartSec=infinity TimeoutStopSec=120s |