----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69615/ -----------------------------------------------------------
(Updated Jan. 2, 2019, 5:15 p.m.) Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu. Bugs: MESOS-9349 https://issues.apache.org/jira/browse/MESOS-9349 Repository: mesos Description ------- Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to the containerizer process(es) on Linux systems. This prevents unprivileged containerized processes from reading information about the containerizer process(es) from `/proc`. This gives an additional layer of protection against leaking information to untrusted container processes. Diffs (updated) ----- docs/configuration/agent.md 330283f4e3957075dd4310de4a841feac23de36c src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054 src/slave/containerizer/mesos/containerizer.cpp a5cf2da55c046c5c45e0c2ca3400f64de12de62b src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842 src/slave/containerizer/mesos/launch.cpp 2f1c9e7a8748c9d7eab25bc8567ca68308e680f9 src/slave/flags.hpp 494ae02ab5eb365e2cda5017be573691107c3f28 src/slave/flags.cpp 6bac8e1409f04d639204c45eda8a90c098e3dbd0 src/slave/slave.cpp ad3b693a716cf6103345a157bf28dd60a7b07d32 src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6 src/tests/slave_tests.cpp 4aed5d68e9a408821880ffaede482937be1999f4 Diff: https://reviews.apache.org/r/69615/diff/2/ Changes: https://reviews.apache.org/r/69615/diff/1-2/ Testing ------- make check (Fedora 29) Thanks, James Peach