[
https://issues.apache.org/jira/browse/MESOS-7476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16052677#comment-16052677
]
Jie Yu commented on MESOS-7476:
-------------------------------
commit e70ef312cc3149677fde7f7645332316864ad0a7
Author: James Peach <jpe...@apache.org>
Date: Fri Jun 16 20:44:56 2017 -0700
Add support for explicitly setting bounding capabilities.
The linux/capabilities isolator implements the `--allowed_capabilities`
option by granting all the allowed capabilities. This change explicitly
populates the only the bounding capabilities in the case where
`--bounding_capabilities` has been set but the task itself has not been
granted any effective capabilities. This improves the security of tasks
since it is now possible to configure the bounding set without actually
granting privilege to the task.
Removed 2 capabilities isolator test cases. These test cases depended on
the framework-specified effective capabilities also setting the bounding
set. Now that the operator flag always determines the bounding set,
these test cases are no longer valid.
Review: https://reviews.apache.org/r/59552/
commit a307d200c325162223a8007797b968edd8fc5d43
Author: James Peach <jpe...@apache.org>
Date: Fri Jun 16 20:44:54 2017 -0700
Change launcher working directory before dropping privilege.
The launcher needs to change its working directory before dropping
privilege by switching users and installing capabilities, because
afterwards it might not have access to traverse to the desired
working directory.
Review: https://reviews.apache.org/r/59551/
commit 4d1edb9d98ef63fe1032d42ae0f2f3ba94e6d605
Author: James Peach <jpe...@apache.org>
Date: Fri Jun 16 20:44:53 2017 -0700
Check bounding capabilities at isolator creation time.
When we create the `linux/capabilities` isolator, enforce the rule that
the bounding capabilities are a superset of the allowed capabilities
when both are specified.
Review: https://reviews.apache.org/r/59550/
commit 5454574ef5bf2891f581a354b858b4c7e36f525f
Author: James Peach <jpe...@apache.org>
Date: Fri Jun 16 20:44:50 2017 -0700
Add the agent --bounding_capabilities flag.
Add the agent --bounding_capabilities flag to enable the operator to
specify a default bounding capabilities set.
Review: https://reviews.apache.org/r/59549/
commit b75aa51175551552651e577d99ac9ec47ab12de5
Author: James Peach <jpe...@apache.org>
Date: Fri Jun 16 20:44:48 2017 -0700
Add a `bounding_capabilities` field to ContainerLaunchInfo.
Add a `bounding_capabilities` field to ContainerLaunchInfo and propagate
bounding capabilities through the command executor.
Review: https://reviews.apache.org/r/59548/
commit ffcfdb77bd1791064a6c97b93faa23c7ff6cf6db
Author: James Peach <jpe...@apache.org>
Date: Fri Jun 16 20:44:44 2017 -0700
Rename ContainerLaunchInfo `capabilities` field.
Rename the ContainerLaunchInfo `capabilities` field to
`effective_capabilities` since it is intended to be the set of
capabilities we actually make effective in the launched task.
Review: https://reviews.apache.org/r/59547/
> Restrict capabilities to only the bounding set.
> -----------------------------------------------
>
> Key: MESOS-7476
> URL: https://issues.apache.org/jira/browse/MESOS-7476
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Reporter: James Peach
> Assignee: James Peach
> Fix For: 1.4.0
>
>
> As a security improvement, it would be useful to be able to set the bounding
> capability set without also granting those capabilities. This is what the
> {{--allowed_capabilities}} flag sounds like it does.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
