-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70010/
-----------------------------------------------------------
Review request for mesos, Gilbert Song, Greg Mann, and Joseph Wu.
Bugs: MESOS-9564
https://issues.apache.org/jira/browse/MESOS-9564
Repository: mesos
Description
-------
Previously, logrotation module stored the `logrotate` configuration
file in container's sandbox directory, so that it was garbage collected
together with the container's sandbox. If the container's task had
permissions to modify this configuration file, it was possible to run
any command under an unprivileged user. This patch stores `logrotate`
config in an nonymous temporary file via `memfd`, so logrotation module
can pass a path to procfs instead of container's sandbox. This approach
solves the aforementioned security issue on Linux.
Diffs
-----
src/slave/container_loggers/logrotate.cpp b989de3e4cd3fdc1d8bdccfc83c22c99519eea7b
Diff: https://reviews.apache.org/r/70010/diff/1/
Testing
-------
Thanks,
Andrei Budnik
|