mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Review Request 69615: Disable containerizer ptrace attach.
Date Fri, 08 Feb 2019 21:09:31 GMT


> On Jan. 18, 2019, 8:36 a.m., Jiang Yan Xu wrote:
> > src/slave/flags.cpp
> > Lines 338 (patched)
> > <https://reviews.apache.org/r/69615/diff/2/?file=2117175#file2117175line338>
> >
> >     If disallow is the default, it's a breaking change right? Can the default be
allowing it?

Strictly it is a breaking change. In practice, I don't think there's a reasonable workflow
that would depend on this. Even Mesos developers tend not to need to attach a debugger to
the containerizers.

And IMHO we should deliver security improvements by default unless there is a compelling reason
not to.


- James


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review211839
-----------------------------------------------------------


On Feb. 8, 2019, 9:09 p.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
> 
> (Updated Feb. 8, 2019, 9:09 p.m.)
> 
> 
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9349
>     https://issues.apache.org/jira/browse/MESOS-9349
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
> 
> 
> Diffs
> -----
> 
>   docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e 
>   src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f 
>   src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054 
>   src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba

>   src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842 
>   src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c 
>   src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0 
>   src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6 
>   src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b 
>   src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6

>   src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb 
> 
> 
> Diff: https://reviews.apache.org/r/69615/diff/3/
> 
> 
> Testing
> -------
> 
> make check (Fedora 29)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message