mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Budnik <abud...@mesosphere.com>
Subject Re: Review Request 68018: Added `SeccompFilter` class.
Date Fri, 04 Jan 2019 20:13:34 GMT


> On Jan. 3, 2019, 1:58 a.m., Gilbert Song wrote:
> > src/linux/seccomp/seccomp.cpp
> > Lines 138 (patched)
> > <https://reviews.apache.org/r/68018/diff/11/?file=2116580#file2116580line138>
> >
> >     Do I understand correctly that this would not impact on the setuid/setgid after
pivot_root in mesos/launch.cpp?
> >     
> >     The side effect is on the task: the task cannot setuid/setgid and cannot change
capabilities?

> Do I understand correctly that this would not impact on the setuid/setgid after pivot_root
in mesos/launch.cpp?

Yes, correct.

>From https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt:
```
Note that no_new_privs does not prevent privilege changes that do not
involve execve.  An appropriately privileged task can still call
setuid(2) and receive SCM_RIGHTS datagrams.
```

AFAIU, `NO_NEW_PRIVS` prevents changing current setuid/setgid/capabilities when calling `execve`
with these bits set on executable.


> On Jan. 3, 2019, 1:58 a.m., Gilbert Song wrote:
> > src/linux/seccomp/seccomp.cpp
> > Lines 141-144 (patched)
> > <https://reviews.apache.org/r/68018/diff/11/?file=2116580#file2116580line141>
> >
> >     Instead of always set `SCMP_FLTATR_CTL_NNP`. Should we consider to check root
privileges first (e.g., `geteuid() != 0`)?

By default, libseccomp sets `true` to the `SCMP_FLTATR_CTL_NNP` flag
https://github.com/seccomp/libseccomp/blob/1e64feb5f1a9ea02687228e3073e8b784a04ce46/src/db.c#L960

Hence, all Seccomp test pass even after removing `seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP,
1)`. Also, this means that Docker daemon launches its containers with this flag set by default
(as they also use libseccomp).

Disabling `SCMP_FLTATR_CTL_NNP` flag for a `root` means that Seccomp filter can be reverted
anytime. So, disabling this flag is meaningless.


- Andrei


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68018/#review211623
-----------------------------------------------------------


On Nov. 8, 2018, 3:24 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68018/
> -----------------------------------------------------------
> 
> (Updated Nov. 8, 2018, 3:24 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang.
> 
> 
> Bugs: MESOS-9034
>     https://issues.apache.org/jira/browse/MESOS-9034
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> `SeccompFilter` class is a wrapper for `libseccomp` API. Its main
> purpose is to provide a translation of the `ContainerSeccompProfile`
> message into calls of `libseccomp` API.
> 
> 
> Diffs
> -----
> 
>   src/CMakeLists.txt bde070445b644e15d46c390d1c983caabaa1fec8 
>   src/Makefile.am 7a4904a3d67479267087fd2313a263d8218843fa 
>   src/linux/seccomp/seccomp.hpp PRE-CREATION 
>   src/linux/seccomp/seccomp.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68018/diff/14/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message