|
From: quazpick <qua...@on...> - 2017-06-24 11:18:43
|
Create a hello world binary.
Give it linux capabilities e.g. with setcap command.
valgrind the binary with caps.
It will fail.:
#include <stdio.h>
int main() { printf("Hello.\n"); return 0; }
user@devuan:~/test3$ gcc main.c
user@devuan:~/test3$ sudo su
root@devuan:/home/user/test3# setcap "cap_net_admin+eip" ./a.out
root@devuan:/home/user/test3# exit
exit
user@devuan:~/test3$ valgrind ./a.out
==19376==
==19376== Warning: Can't execute setuid/setgid/setcap executable: ./a.out
==19376== Possible workaround: remove --trace-children=yes, if in effect
==19376==
valgrind: ./a.out: Permission denied
Even root can't valgrind it:
user@devuan:~/test3$ sudo valgrind ./a.out
==19385==
==19385== Warning: Can't execute setuid/setgid/setcap executable: ./a.out
==19385== Possible workaround: remove --trace-children=yes, if in effect
==19385==
valgrind: ./a.out: Permission denied
So how to?
Afair I tried also giving SUID flags, and all CAPs to valgrind* and it's /lib/ binaries and all, but nothing worked.
Is it required to hack the kernel to remove this restriction?
What is the root cause?
|
|
From: John R. <jr...@bi...> - 2017-06-24 12:59:13
|
> Create a hello world binary.
>
> Give it linux capabilities e.g. with setcap command.
>
> valgrind the binary with caps.
>
> It will fail.:
[snip]]
>
> Afair I tried also giving SUID flags, and all CAPs to valgrind* and it's /lib/ binaries and all, but nothing worked.
The capabilities are attached to the process by the Linux kernel
from the file in the filesystem when the kernel performs the
syscall execve(filename,,). Neither valgrind nor its tools
perform execve(target_filename,,).
If a capability is inheritable, then attaching it to the filename
of some valgrind execve() in the dynamic chain of execve()s (see
"strace -e trace=execve valgrind ...") should work.
Otherwise, investigate prctl(PR_CAP_AMBIENT_RAISE,) etc.
Logically you want valgrind to prctl(PR_CAP_SET_ATTACH,)
but that apparently does not exist.
--
|