mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Review Request 59184: Add support for explicitly setting bounding capabilities.
Date Thu, 11 May 2017 16:44:11 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59184/
-----------------------------------------------------------

Review request for mesos, Benjamin Bannier and Jie Yu.


Bugs: MESOS-7476
    https://issues.apache.org/jira/browse/MESOS-7476


Repository: mesos


Description
-------

The linux/capabilities isolator implemented the --allowed_capabilities
option by granting all the allowed capabilities. This depended on the
granted capabilities being removed across exec, leaving only the changes
to the bounding set in the child process.

This change explicitly populates the bounding set in the case where
--allowed_capabilities has been set and the task itself has not been
granted any capabilities. This improves the security of tasks since it
is now possible to configure the bounding set without potentially giving
privilege to the task.


Diffs
-----

  include/mesos/slave/containerizer.proto 41f2905df690bfe88ed762f1cd1246689fa4d3ea 
  src/launcher/executor.cpp b05f73e539c22d4d40f07df76168a06373b818d4 
  src/slave/containerizer/mesos/isolators/linux/capabilities.cpp 60d22aa877c1ab62a08222e5efe8800e337684da

  src/slave/containerizer/mesos/launch.cpp 2835beff9dbfa7f2a1cac306a58e2b1d66c14342 
  src/tests/containerizer/linux_capabilities_isolator_tests.cpp f9d2a532bb5bef4654474cb171911952218780fa



Diff: https://reviews.apache.org/r/59184/diff/1/


Testing
-------

make check (Fedora 25)


Thanks,

James Peach


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message