Reputation: 357
How to run Intellij with CAP_SYSLOG?
To enable profiling, intellij needs access to elevated kernel capabilities. It shows a dialog asking to open those features on the entire system. I'm trying to restrict the damage to the intellij process only
one item is kptr_restrict, which i can open to all (=0) (recommendation from intellij) or to processes with CAP_SYSLOG (=1).
When kptr_restrict is set to 0 (the default) the address is hashed before printing. (This is the equivalent to %p.)
When kptr_restrict is set to (1), kernel pointers printed using the %pK format specifier will be replaced with 0's unless the user has CAP_SYSLOG and effective user and group ids are equal to the real ids. [...]
[...] default is 2, always return 0's.
Since intellij runs from it's own java install, my first attempt was to sudo setcap 'CAP_SYSLOG+eip' ~/.local/share/JetBrains/Toolbox/apps/IDEA-U/ch-0/221.6008.13/jbr/bin/java
After doing all the steps to work around the failed ld.so error describe on https://unix.stackexchange.com/a/88001/497788
$ getcap ~/.local/share/JetBrains/Toolbox/apps/IDEA-U/ch-0/221.6008.13/jbr/bin/java
~/.local/share/JetBrains/Toolbox/apps/IDEA-U/ch-0/221.6008.13/jbr/bin/java = cap_syslog+eip
$ ~/.local/share/JetBrains/Toolbox/apps/IDEA-U/ch-0/221.6008.13/jbr/bin/java ... com.intellij.idea.Main
(works)
$ getpcaps 12345 #java running intellij
12345 = cap_syslog+ep
$ sysctl kernel.kptr_restrict
kernel.kptr_restrict = 1
Everything seems to be in place. Try to profile an application: Still get the message about missing the kptr_restrict=0 ...wondering if intellij is just checking the value instead of trying to use it's powers? let's try that hypothesis. code seems to open /proc/kallsyms and look for specific lines. I'm guessing if it sees addresses there then it is assumed to be working? or does it look for some attribute on the kptr_restrict line? that code is not very clear to me. (End of detour)
get the PID of the java process running the application to be profiled:
$ getpcaps 12999
12999: =
(hummm.... no caps)
$ ps -o ppid= -p 117385
12345
$ getpcaps 12345
12345: = cap_syslog+ep
Q1: why getpcaps doesn't show Inheritable, but only cap_syslog+ep, but getcap shows cap_syslog+eip?
Q2: why the child process of 12345 doesn't inherit cap_syslog?
Well, let's ignore the inheritance and also add the capability to the child java process (which is a different binary)
sudo setcap 'CAP_SYSLOG+ep' ~/.jdks/temurin-1.8.0_332/bin/java
It works fine. Restart everything. Same failure.
Even tried to catch any java process being spawned out of those binaries with
while true; do for p in $(ps aux | grep java | grep -v grep | awk '{print $2}'); do getpcaps $p; done; done and never saw any line without "cap_syslog+ep"
Q3. what's the right way to get this to work?
Upvotes: 0
Views: 226
Answers (0)
Related Questions
- How to use IntelliJ debugger to print logs?
- Java outputs a Full Thread Dump every few seconds when running from IntelliJ and given network sniffing permissions with setcap
- How to configure Intellij log level to debug for Maven output
- How to change IntelliJ IDEA logging level?
- Java "symbol lookup error" for JLI_InitArgProcessing when running with setcap capabilities
- Unable to access logger: "cannot resolve symbol (info|warning|debug)"
- IntelliJ: How to set log levels for tests
- How to increase logging from intellij idea?
- Configure LogLevel in Intellji Junit Run configuration in gradle project?
- IntelliJ Idea 12.1.4: Enabling Tomcat access logs