How to debug program that has linux Capabilities

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to debug program that has linux Capabilities

quazpick
Create a hello world binary.

Give it linux capabilities e.g. with setcap command.

valgrind the binary with caps.

It will fail.:

#include <stdio.h>
int main() { printf("Hello.\n"); return 0; }

user@devuan:~/test3$ gcc main.c
user@devuan:~/test3$ sudo su
root@devuan:/home/user/test3# setcap "cap_net_admin+eip" ./a.out
root@devuan:/home/user/test3# exit
exit

user@devuan:~/test3$ valgrind ./a.out
==19376==
==19376== Warning: Can't execute setuid/setgid/setcap executable: ./a.out
==19376== Possible workaround: remove --trace-children=yes, if in effect
==19376==
valgrind: ./a.out: Permission denied

Even root can't valgrind it:

user@devuan:~/test3$ sudo valgrind ./a.out
==19385==
==19385== Warning: Can't execute setuid/setgid/setcap executable: ./a.out
==19385== Possible workaround: remove --trace-children=yes, if in effect
==19385==
valgrind: ./a.out: Permission denied


So how to?

Afair I tried also giving SUID flags, and all CAPs to valgrind* and it's /lib/ binaries and all, but nothing worked.


Is it required to hack the kernel to remove this restriction?
What is the root cause?


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to debug program that has linux Capabilities

John Reiser
> Create a hello world binary.
>
> Give it linux capabilities e.g. with setcap command.
>
> valgrind the binary with caps.
>
> It will fail.:
     [snip]]
>
> Afair I tried also giving SUID flags, and all CAPs to valgrind* and it's /lib/ binaries and all, but nothing worked.


The capabilities are attached to the process by the Linux kernel
from the file in the filesystem when the kernel performs the
syscall execve(filename,,).  Neither valgrind nor its tools
perform execve(target_filename,,).

If a capability is inheritable, then attaching it to the filename
of some valgrind execve() in the dynamic chain of execve()s (see
"strace -e trace=execve valgrind ...") should work.
Otherwise, investigate prctl(PR_CAP_AMBIENT_RAISE,) etc.
Logically you want valgrind to prctl(PR_CAP_SET_ATTACH,)
but that apparently does not exist.

--

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Loading...