Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8313357

Revisit requiring SA tests on OSX to either run as root or use sudo

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Fixed
    • P4
    • 22
    • 17, 21, 22
    • hotspot
    • b12

    Description

      Currently on OSX, SA tests require that either they be run as root, or that the test has the ability to launch SA tools using sudo. If this can't be done, SkippedException is thrown. I'm not sure of all the history around this, but I think the main issue was an inability to attach unless the SA process is a root process. Here is some of the code involved:

          public static boolean needsPrivileges() {
              return Platform.isOSX() && !Platform.isRoot();
          }

          public static ProcessBuilder createProcessBuilder(JDKToolLauncher launcher) {
              List<String> cmdStringList = Arrays.asList(launcher.getCommand());
              if (needsPrivileges()) {
                  cmdStringList = addPrivileges(cmdStringList);
              }
              return new ProcessBuilder(cmdStringList);
          }

          public static void skipIfCannotAttach() {
                  ...
                  } else if (Platform.isOSX()) {
                      ...
                      if (!Platform.isRoot() && !canAddPrivileges()) {
                          throw new SkippedException("SA Attach not expected to work. Insufficient privileges (not root and can't use sudo).");
                      }
                  }
                  ...
          }

      "privileges" is just another way of saying "sudo". So you "need privileges" if not running as root. "adding privileges" means adding sudo to the command. If not running as root and privileges cannot be added (sudo doesn't work), then the test is skipped.

      Running the SA tools as root (or with sudo) creates it's own set of problems. For one, if the test hangs and the failure_handler is used, it can't itself attach to and debug the SA process. It can't even issue a jcmd. It might be possible to work around this by launching failure_handler tasks using sudo, but I've had mixed results with that.

      I've come to learn, at least on my OSX aarch64 system, that running as root or with sudo is not needed IF "Developer mode" is enabled:

      $ DevToolsSecurity --status
      Developer mode is currently enabled.

      I'm not sure if this has always been the case with OSX. Apple has continually made debugging (via process attach) more and more difficult as it tightens security for such activities. Possibly, this used to work, then was restricted, and now is allowed again. In any case, we should take advantage of it and not require root or sudo when running SA tests if "Developer mode" is enabled.

      Attachments

        Issue Links

          Activity

            People

              cjplummer Chris Plummer
              cjplummer Chris Plummer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: