mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Budnik <abud...@mesosphere.com>
Subject Re: Review Request 70010: Store `logrotate` config in memfd file instead of container's sandbox.
Date Wed, 20 Feb 2019 14:24:14 GMT


> On Feb. 19, 2019, 7:58 p.m., Joseph Wu wrote:
> > Your commit message could mention that the configure flag `ENABLE_LAUNCHER_SEALING`
is necessary too (not just Linux), to fix the security hole.

Fixed.


> On Feb. 19, 2019, 7:58 p.m., Joseph Wu wrote:
> > src/slave/container_loggers/logrotate.cpp
> > Lines 81-88 (patched)
> > <https://reviews.apache.org/r/70010/diff/1/?file=2125831#file2125831line85>
> >
> >     Just curious, but is it possible to enable memFD creation without the ability
to seal?  The flag we use to guard `memfd.cpp` refers to sealing, but here, we do not provide
the `MFD_ALLOW_SEALING` option.

> is it possible to enable memFD creation without the ability to seal?

We do not need sealing in this case, so we do not provide the `MFD_ALLOW_SEALING` option.

> The flag we use to guard memfd.cpp refers to sealing

Unfortunately, flag name is inconsistent with actual behaviour. Ideally, we should have renamed
the flag, but it requires adding non-trivial changes to other projects that depend on Mesos.
In the future, when we drop support for kernels older than 3.17, we can use `__linux__` macro
instead of `ENABLE_LAUNCHER_SEALING`.


> On Feb. 19, 2019, 7:58 p.m., Joseph Wu wrote:
> > src/slave/container_loggers/logrotate.cpp
> > Lines 96-101 (patched)
> > <https://reviews.apache.org/r/70010/diff/1/?file=2125831#file2125831line100>
> >
> >     Is there any need to flush this write?  Or do memFD's guarantee the write completes
by the time this returns?

>memFD's guarantee the write completes by the time this returns?

Yes, correct. Write operation to memfd is equivalent to writing into RAM.


- Andrei


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70010/#review212924
-----------------------------------------------------------


On Feb. 19, 2019, 5:06 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70010/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2019, 5:06 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Greg Mann, and Joseph Wu.
> 
> 
> Bugs: MESOS-9564
>     https://issues.apache.org/jira/browse/MESOS-9564
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Previously, logrotation module stored the `logrotate` configuration
> file in container's sandbox directory, so that it was garbage collected
> together with the container's sandbox. If the container's task had
> permissions to modify this configuration file, it was possible to run
> any command under an unprivileged user. This patch stores `logrotate`
> config in an nonymous temporary file via `memfd`, so logrotation module
> can pass a path to procfs instead of container's sandbox. This approach
> solves the aforementioned security issue on Linux when
> `ENABLE_LAUNCHER_SEALING` configuration flag is specified.
> 
> 
> Diffs
> -----
> 
>   src/slave/container_loggers/logrotate.cpp b989de3e4cd3fdc1d8bdccfc83c22c99519eea7b

> 
> 
> Diff: https://reviews.apache.org/r/70010/diff/2/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message