Skip to content

Fix capability loss uid override#509

Merged
r1viollet merged 1 commit into
mainfrom
r1viollet/fix/capability-loss-uid-override
Mar 19, 2026
Merged

Fix capability loss uid override#509
r1viollet merged 1 commit into
mainfrom
r1viollet/fix/capability-loss-uid-override

Conversation

@r1viollet

Copy link
Copy Markdown
Collaborator

What does this PR do?

Refer to following PR
I adjusted to allow switching if the file is not a file from a root user.

Motivation

Avoid capability loss.
Refer to original PR

Additional Notes

NA

How to test the change?

Unit tests were added, thank you @xroche

@pr-commenter

pr-commenter Bot commented Mar 18, 2026

Copy link
Copy Markdown

Benchmark results for collatz

Parameters

Baseline Candidate
config baseline candidate
profiler-version ddprof 0.23.0+eabb4a64.103529266 ddprof 0.23.0+72194b11.103538379

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1 metrics, 0 unstable metrics.

See unchanged results
scenario Δ mean execution_time
scenario:ddprof -S bench-collatz --preset cpu_only collatz_runner.sh same

@pr-commenter

pr-commenter Bot commented Mar 18, 2026

Copy link
Copy Markdown

Benchmark results for BadBoggleSolver_run

Parameters

Baseline Candidate
config baseline candidate
profiler-version ddprof 0.23.0+eabb4a64.103529266 ddprof 0.23.0+72194b11.103538379

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1 metrics, 0 unstable metrics.

See unchanged results
scenario Δ mean execution_time
scenario:ddprof -S bench-bad-boggle-solver BadBoggleSolver_run work 1000 same

Comment thread test/user_override_caps-ut.cc Outdated
@r1viollet
r1viollet force-pushed the r1viollet/fix/capability-loss-uid-override branch from e999b82 to f8e3dd9 Compare March 19, 2026 08:52
Comment thread test/user_override_caps-ut.cc Outdated
// process capability sets. Fully reproducing that needs a non-root process that
// also holds CAP_SETUID and CAP_SETGID, which is uncommon in CI.
//
// How we reproduced this in a privileged container

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added instructions here are on how to reproduce the issue (as even with LLMs, it was quite painful to do)

Comment thread test/user_override_caps-ut.cc Outdated
@r1viollet
r1viollet force-pushed the r1viollet/fix/capability-loss-uid-override branch 2 times, most recently from bf8b06c to f3d076d Compare March 19, 2026 09:51
Comment thread test/user_override_caps-ut.cc Outdated
@r1viollet
r1viollet force-pushed the r1viollet/fix/capability-loss-uid-override branch from f3d076d to ecbaf1c Compare March 19, 2026 16:12
When ddprof runs as a non-root user with file capabilities (e.g.
CAP_IPC_LOCK, CAP_PERFMON), the UID round-trip in open_proc_maps()
and open_proc_comm() permanently destroys all capabilities:
1. fopen("/proc/<pid>/maps") fails (target is non-dumpable)
2. stat() shows file owned by root (st_uid=0)
3. setresuid(0, 0, -1) sets real+effective to 0, saved stays 1000
4. Retry fopen still fails (needs CAP_SYS_PTRACE, not just UID 0)
5. setresuid(1000, 1000, -1) restores UIDs — all nonzero
6. Kernel clears ALL capabilities (Linux cap clearing rule)
7. Worker permanently loses IPC_LOCK + PERFMON → profiling breaks

Guard the UID elevation with `is_root()` so non-root users skip the
elevation attempt entirely, preserving their file capabilities.

Add unit tests covering capability preservation for the fixed path,
including a reproducer for the original bug.

Co-Authored-By: Xavier Roche <[email protected]>
nsavoire
nsavoire previously approved these changes Mar 19, 2026
@r1viollet
r1viollet force-pushed the r1viollet/fix/capability-loss-uid-override branch from ecbaf1c to 72194b1 Compare March 19, 2026 16:21
@r1viollet
r1viollet merged commit f1638cd into main Mar 19, 2026
3 checks passed
@r1viollet
r1viollet deleted the r1viollet/fix/capability-loss-uid-override branch March 19, 2026 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants