This has been discovered during investigation of a failing test (JDK-8341310). With JDK-8327114 a new test has been included which tests various attach scenarios. One of which is:

- Shared pid namespace of attachee and attacher container (--pid:container:<attachee-container-name>)
- With elevated privileges of the attachee and the attacher (--cap-add=NET_BIND_SERVICE)
- The attachee and the attacher using the same user id when they are run (--user <UID>:<GID>).

Reproducer:
Run containers/docker/TestJcmdWithSideCar.java test with the hunk removed which disables that test case as introduced with JDK-8341310.

Or manually:

// Attachee container:
$ podman run --tty=true --rm --volume /disk/openjdk/upstream-sources/git/jdk-jdk/JTwork/classes/containers/docker/TestJcmdWithSideCar.d:/test-classes/ --user=$(id -u):$(id -g) --cap-add=NET_BIND_SERVICE --cap-add=SYS_PTRACE --name test-container-main --volume /tmp --volume /disk/openjdk/upstream-sources/git/jdk-jdk/JTwork/scratch/.:/workdir/ jdk-internal:test-containers-docker-TestJcmdWithSideCar-jfr-jcmd /jdk/bin/java -XX:+ErrorFileToStderr -cp /test-classes/ -XX:+UsePerfData EventGeneratorLoop 300

// Attacher container
$ podman run -i --tty=true --rm --cap-add=SYS_PTRACE --sig-proxy=true --pid=container:test-container-main --cap-add=NET_BIND_SERVICE --user=$(id -u):$(id -g) jdk-internal:test-containers-docker-TestJcmdWithSideCar-jfr-jcmd /jdk/bin/jcmd -l

Expected:
1 EventGeneratorLoop 300
105 jdk.jcmd/sun.tools.jcmd.JCmd -l

Actual:
105 jdk.jcmd/sun.tools.jcmd.JCmd -l