mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <>
Subject Re: Review Request 69615: Disable containerizer ptrace attach.
Date Wed, 06 Mar 2019 01:08:52 GMT

This is an automatically generated e-mail. To reply, visit:

(Updated March 6, 2019, 1:08 a.m.)

Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.

Bugs: MESOS-9349

Repository: mesos


Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
the containerizer process(es) on Linux systems. This prevents
unprivileged containerized processes from reading information
about the containerizer process(es) from `/proc`. This gives an
additional layer of protection against leaking information to
untrusted container processes.

Diffs (updated)

  docs/configuration/ e744c3caaf1f5c3ed274b622f2fe3eacb60096b2 
  src/launcher/executor.cpp fa4bcaad9ac36bf380484dadb14d0b0a86a30aae 
  src/slave/containerizer/mesos/containerizer.cpp 043244841a73fa3f5f7119bc38f6d3a04be8990b

  src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842 
  src/slave/containerizer/mesos/launch.cpp 88b97a572916defbe65692036be77395053eb8e8 
  src/slave/flags.hpp 09921cb6172202b5c1d2f8d03f9ccaeb3d0e8c94 
  src/slave/flags.cpp 5fe5e05ddfc92ae0da4ce9c934cd713312a1e46e 
  src/slave/slave.cpp 4073d8a0954932318b5b37a7b7fa02d7b336840a 
  src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6

  src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb 




make check (Fedora 29)


James Peach

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message