Fix capability loss uid override#509
Merged
Merged
Conversation
Benchmark results for collatzParameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 1 metrics, 0 unstable metrics. See unchanged results
|
Benchmark results for BadBoggleSolver_runParameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 1 metrics, 0 unstable metrics. See unchanged results
|
r1viollet
commented
Mar 19, 2026
r1viollet
force-pushed
the
r1viollet/fix/capability-loss-uid-override
branch
from
March 19, 2026 08:52
e999b82 to
f8e3dd9
Compare
r1viollet
commented
Mar 19, 2026
| // process capability sets. Fully reproducing that needs a non-root process that | ||
| // also holds CAP_SETUID and CAP_SETGID, which is uncommon in CI. | ||
| // | ||
| // How we reproduced this in a privileged container |
Collaborator
Author
There was a problem hiding this comment.
added instructions here are on how to reproduce the issue (as even with LLMs, it was quite painful to do)
r1viollet
commented
Mar 19, 2026
r1viollet
force-pushed
the
r1viollet/fix/capability-loss-uid-override
branch
2 times, most recently
from
March 19, 2026 09:51
bf8b06c to
f3d076d
Compare
nsavoire
reviewed
Mar 19, 2026
r1viollet
force-pushed
the
r1viollet/fix/capability-loss-uid-override
branch
from
March 19, 2026 16:12
f3d076d to
ecbaf1c
Compare
When ddprof runs as a non-root user with file capabilities (e.g.
CAP_IPC_LOCK, CAP_PERFMON), the UID round-trip in open_proc_maps()
and open_proc_comm() permanently destroys all capabilities:
1. fopen("/proc/<pid>/maps") fails (target is non-dumpable)
2. stat() shows file owned by root (st_uid=0)
3. setresuid(0, 0, -1) sets real+effective to 0, saved stays 1000
4. Retry fopen still fails (needs CAP_SYS_PTRACE, not just UID 0)
5. setresuid(1000, 1000, -1) restores UIDs — all nonzero
6. Kernel clears ALL capabilities (Linux cap clearing rule)
7. Worker permanently loses IPC_LOCK + PERFMON → profiling breaks
Guard the UID elevation with `is_root()` so non-root users skip the
elevation attempt entirely, preserving their file capabilities.
Add unit tests covering capability preservation for the fixed path,
including a reproducer for the original bug.
Co-Authored-By: Xavier Roche <[email protected]>
nsavoire
previously approved these changes
Mar 19, 2026
r1viollet
force-pushed
the
r1viollet/fix/capability-loss-uid-override
branch
from
March 19, 2026 16:21
ecbaf1c to
72194b1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Refer to following PR
I adjusted to allow switching if the file is not a file from a root user.
Motivation
Avoid capability loss.
Refer to original PR
Additional Notes
NA
How to test the change?
Unit tests were added, thank you @xroche