JDK-8313357 : Revisit requiring SA tests on OSX to either run as root or use sudo
  • Type: Enhancement
  • Component: hotspot
  • Sub-Component: svc-agent
  • Affected Version: 17,21,22
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2023-07-28
  • Updated: 2023-08-21
  • Resolved: 2023-08-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 22
22 masterFixed
Related Reports
Relates :  
JDK-8238268 - Many SA tests are not running on OSX because they do not attempt to use sudo when available
Relates :  
JDK-8314133 - sadebugd tests timeout on OSX unless run as root
Description
Currently on OSX, SA tests require that either they be run as root, or that the test has the ability to launch SA tools using sudo. If this can't be done, SkippedException is thrown. I'm not sure of all the history around this, but I think the main issue was an inability to attach unless the SA process is a root process. Here is some of the code involved:

    public static boolean needsPrivileges() {
        return Platform.isOSX() && !Platform.isRoot();
    }

    public static ProcessBuilder createProcessBuilder(JDKToolLauncher launcher) {
        List<String> cmdStringList = Arrays.asList(launcher.getCommand());
        if (needsPrivileges()) {
            cmdStringList = addPrivileges(cmdStringList);
        }
        return new ProcessBuilder(cmdStringList);
    }

    public static void skipIfCannotAttach() {
            ...
            } else if (Platform.isOSX()) {
                ...
                if (!Platform.isRoot() && !canAddPrivileges()) {
                    throw new SkippedException("SA Attach not expected to work. Insufficient privileges (not root and can't use sudo).");
                }
            }
            ...
    }

"privileges" is just another way of saying "sudo". So you "need privileges" if not running as root. "adding privileges" means adding sudo to the command. If not running as root and privileges cannot be added (sudo doesn't work), then the test is skipped. 

Running the SA tools as root (or with sudo) creates it's own set of problems. For one, if the test hangs and the failure_handler is used, it can't itself attach to and debug the SA process. It can't even issue a jcmd. It might be possible to work around this by launching failure_handler tasks using sudo, but I've had mixed results with that.

I've come to learn, at least on my OSX aarch64 system, that running as root or with sudo is not needed IF "Developer mode" is enabled:

$ DevToolsSecurity --status
Developer mode is currently enabled.

I'm not sure if this has always been the case with OSX. Apple has continually made debugging (via process attach) more and more difficult as it tightens security for such activities. Possibly, this used to work, then was restricted, and now is allowed again. In any case, we should take advantage of it and not require root or sudo when running SA tests if "Developer mode" is enabled.
Comments
Changeset: 62ca0015 Author: Chris Plummer <cjplummer@openjdk.org> Date: 2023-08-17 15:26:45 +0000 URL: https://git.openjdk.org/jdk/commit/62ca00158c7ce7b40b5910562c1857b9f05ddf9f
17-08-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/15238 Date: 2023-08-11 01:49:57 +0000
11-08-2023
We also have the following code preventing and sadebug tests from running on OSX if privileges are needed: /** * This tests has issues if you try adding privileges on OSX. The debugd process cannot * be killed if you do this (because it is a root process and the test is not), so the destroy() * call fails to do anything, and then waitFor() will time out. If you try to manually kill it with * a "sudo kill" command, that seems to work, but then leaves the LingeredApp it was * attached to in a stuck state for some unknown reason, causing the stopApp() call * to timeout. For that reason we don't run this test when privileges are needed. Note * it does appear to run fine as root, so we still allow it to run on OSX when privileges * are not required. */ public static void validateSADebugDPrivileges() { if (needsPrivileges()) { throw new SkippedException("Cannot run this test on OSX if adding privileges is required."); } } If needsPrivileges() would start returning false if "Developer mode" is enabled, then the sadebugd tests would be allowed to run. Update: There are still issues running the sadebugd tests, even with developer mode enabled. See JDK-8314133.
11-08-2023
JDK-8238268 did a lot of work to make sure all SA tests support running with sudo if not running as root, although before JDK-8238268 much if this work was already in placed, but scattered in the tests themselves rather than in shared code in SATestUtils.java.
28-07-2023