mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Xudong Ni via Review Board <nore...@reviews.apache.org>
Subject Re: Review Request 69615: Disable containerizer ptrace attach.
Date Fri, 21 Dec 2018 23:57:53 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review211517
-----------------------------------------------------------




src/slave/containerizer/mesos/launch.cpp
Lines 142 (patched)
<https://reviews.apache.org/r/69615/#comment296758>

    Is this redudent empty line comparing to the rest of style?



src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 304 (patched)
<https://reviews.apache.org/r/69615/#comment296759>

    Is this redudent empty line comparing to the rest of style?



src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 423 (patched)
<https://reviews.apache.org/r/69615/#comment296760>

    Is this redudent empty line comparing to the rest of style?



src/tests/containerizer/mesos_containerizer_tests.cpp
Lines 425 (patched)
<https://reviews.apache.org/r/69615/#comment296757>

    Shall we have two empty lines before the next test?


- Xudong Ni


On Dec. 21, 2018, 5:20 a.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
> 
> (Updated Dec. 21, 2018, 5:20 a.m.)
> 
> 
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9349
>     https://issues.apache.org/jira/browse/MESOS-9349
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
> 
> 
> Diffs
> -----
> 
>   docs/configuration/agent.md 7a8df6852dc2af174a6c5a552dca88fa1b1c29f3 
>   src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054 
>   src/slave/containerizer/mesos/containerizer.cpp a5cf2da55c046c5c45e0c2ca3400f64de12de62b

>   src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842 
>   src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 
>   src/slave/flags.hpp 29d8b7985ffde57da02b5fe0d3a524e98acc27c8 
>   src/slave/flags.cpp ccaf65029ec2d0e78041fc3992a0bf5ca0798686 
>   src/slave/slave.cpp ad3b693a716cf6103345a157bf28dd60a7b07d32 
>   src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6

>   src/tests/slave_tests.cpp 4aed5d68e9a408821880ffaede482937be1999f4 
> 
> 
> Diff: https://reviews.apache.org/r/69615/diff/1/
> 
> 
> Testing
> -------
> 
> make check (Fedora 29)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message