mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Budnik <abud...@mesosphere.com>
Subject Review Request 70010: Store `logrotate` config in memfd file instead of container's sandbox.
Date Tue, 19 Feb 2019 17:06:36 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70010/
-----------------------------------------------------------

Review request for mesos, Gilbert Song, Greg Mann, and Joseph Wu.


Bugs: MESOS-9564
    https://issues.apache.org/jira/browse/MESOS-9564


Repository: mesos


Description
-------

Previously, logrotation module stored the `logrotate` configuration
file in container's sandbox directory, so that it was garbage collected
together with the container's sandbox. If the container's task had
permissions to modify this configuration file, it was possible to run
any command under an unprivileged user. This patch stores `logrotate`
config in an nonymous temporary file via `memfd`, so logrotation module
can pass a path to procfs instead of container's sandbox. This approach
solves the aforementioned security issue on Linux.


Diffs
-----

  src/slave/container_loggers/logrotate.cpp b989de3e4cd3fdc1d8bdccfc83c22c99519eea7b 


Diff: https://reviews.apache.org/r/70010/diff/1/


Testing
-------


Thanks,

Andrei Budnik


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message