https://bugzilla.redhat.com/show_bug.cgi?id=1245759
Bug ID: 1245759 Summary: Attach-process does not work. "ptrace: Operation not permitted" Product: Fedora Version: 22 Component: eclipse-cdt Assignee: jjohnstn@redhat.com Reporter: lufimtse@redhat.com QA Contact: extras-qa@fedoraproject.org CC: akurtako@redhat.com, eclipse-sig@lists.fedoraproject.org, jjohnstn@redhat.com, krzysztof.daniel@gmail.com, rgrunber@redhat.com
Description of problem: As of F22, in Eclipse-CDT, you can't debug via "attach to process". When you try, nothing happens.
When trying the same thing with GDB, you get an error: "ptrace: Operation not permitted."
After some troubleshooting, one workaround is: sudo chmod +s /usr/bin/gdb
The root cause of the issue has been narrowed down to a security hardening in: https://bugzilla.redhat.com/show_bug.cgi?id=1209492 I tested one potential patch and it fixed the issue. But at present there is a debate about security in the bug above (50 comments..). - The Security-hardening argument is that ptrace has the ability to look into the memory of any process, thus being a security threat. - The usability argument is that the change is security theater. It only breaks a lot of applications and doesn't really add much security since there are other easier ways to do the same (e.g core dumping another application and reading the dump). As such it's fixing something that isn't broken but causes breakage in many other apps.
This bug is a tracker bug. It is intended to raise attention that the security-hardening change (in bug 1209492) breaks Eclipse-cdt's attach-to-process functionality and imho should be reversed. To me it seems that this is an unnecessary a big wall that can be easily walked around anyway.
Version-Release number of selected component (if applicable): F22. Eclipse independent.
How reproducible: Always
Steps to Reproduce: - Start a C application. (e.g a JVM). - From Eclipse, attempt to attach to the process.
Actual results: - Nothing happens
Expected results: - Debug session should have started.
Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1245759
Lev Ufimtsev lufimtse@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1209492
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1209492 [Bug 1209492] BUG: Yama blocks ptrace'ing my own process
https://bugzilla.redhat.com/show_bug.cgi?id=1245759
Lev Ufimtsev lufimtse@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|jjohnstn@redhat.com |lufimtse@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1245759
Lev Ufimtsev lufimtse@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
https://bugzilla.redhat.com/show_bug.cgi?id=1245759
--- Comment #1 from Lev Ufimtsev lufimtse@redhat.com --- It seems the patch is getting reverted. This is good as Eclipse's GDB attach-to process will continue to function without having to change SELinux policies.
I'll look into testing things once there is a build available.
https://bugzilla.redhat.com/show_bug.cgi?id=1245759 Bug 1245759 depends on bug 1209492, which changed state.
Bug 1209492 Summary: BUG: Yama blocks ptrace'ing my own process https://bugzilla.redhat.com/show_bug.cgi?id=1209492
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |CANTFIX
https://bugzilla.redhat.com/show_bug.cgi?id=1245759
--- Comment #2 from Lev Ufimtsev lufimtse@redhat.com --- The child task was closed as WontFix. It's not clear if remote-attach works on the latest F22/F23 at the moment, I need to test this sometime.
https://bugzilla.redhat.com/show_bug.cgi?id=1245759
Lev Ufimtsev lufimtse@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |CANTFIX Last Closed| |2015-09-02 14:50:17
--- Comment #3 from Lev Ufimtsev lufimtse@redhat.com --- After some investigation, the current solution is to install the package: https://apps.fedoraproject.org/packages/elfutils-default-yama-scope
Which loosens yama scope to allow ptrace and other processes that attach them selfes to work properly.
The above package has been added as 'weak dedendency' by tools like gdb.
eclipse-sig@lists.fedoraproject.org