> On Feb. 19, 2019, 7:58 p.m., Joseph Wu wrote:
> > Your commit message could mention that the configure flag `ENABLE_LAUNCHER_SEALING`
is necessary too (not just Linux), to fix the security hole.
Fixed.
> On Feb. 19, 2019, 7:58 p.m., Joseph Wu wrote:
> > src/slave/container_loggers/logrotate.cpp
> > Lines 81-88 (patched)
> > <https://reviews.apache.org/r/70010/diff/1/?file=2125831#file2125831line85>
> >
> > Just curious, but is it possible to enable memFD creation without the ability
to seal? The flag we use to guard `memfd.cpp` refers to sealing, but here, we do not provide
the `MFD_ALLOW_SEALING` option.
> is it possible to enable memFD creation without the ability to seal?
We do not need sealing in this case, so we do not provide the `MFD_ALLOW_SEALING` option.
> The flag we use to guard memfd.cpp refers to sealing
Unfortunately, flag name is inconsistent with actual behaviour. Ideally, we should have renamed
the flag, but it requires adding non-trivial changes to other projects that depend on Mesos.
In the future, when we drop support for kernels older than 3.17, we can use `__linux__` macro
instead of `ENABLE_LAUNCHER_SEALING`.
> On Feb. 19, 2019, 7:58 p.m., Joseph Wu wrote:
> > src/slave/container_loggers/logrotate.cpp
> > Lines 96-101 (patched)
> > <https://reviews.apache.org/r/70010/diff/1/?file=2125831#file2125831line100>
> >
> > Is there any need to flush this write? Or do memFD's guarantee the write completes
by the time this returns?
>memFD's guarantee the write completes by the time this returns?
Yes, correct. Write operation to memfd is equivalent to writing into RAM.
- Andrei
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70010/#review212924
-----------------------------------------------------------
On Feb. 19, 2019, 5:06 p.m., Andrei Budnik wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70010/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 5:06 p.m.)
>
>
> Review request for mesos, Gilbert Song, Greg Mann, and Joseph Wu.
>
>
> Bugs: MESOS-9564
> https://issues.apache.org/jira/browse/MESOS-9564
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Previously, logrotation module stored the `logrotate` configuration
> file in container's sandbox directory, so that it was garbage collected
> together with the container's sandbox. If the container's task had
> permissions to modify this configuration file, it was possible to run
> any command under an unprivileged user. This patch stores `logrotate`
> config in an nonymous temporary file via `memfd`, so logrotation module
> can pass a path to procfs instead of container's sandbox. This approach
> solves the aforementioned security issue on Linux when
> `ENABLE_LAUNCHER_SEALING` configuration flag is specified.
>
>
> Diffs
> -----
>
> src/slave/container_loggers/logrotate.cpp b989de3e4cd3fdc1d8bdccfc83c22c99519eea7b
>
>
> Diff: https://reviews.apache.org/r/70010/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Andrei Budnik
>
>
|