> On Feb. 13, 2019, 11:07 p.m., Jiang Yan Xu wrote: > > src/slave/containerizer/mesos/launch.cpp > > Lines 556 (patched) > > <https://reviews.apache.org/r/69615/diff/3/?file=2124536#file2124536line556> > > > > The main thing I wanted to confirm is what we chatted about offline but > > I didn't write down: the interpretation of this paragraph in > > http://man7.org/linux/man-pages/man2/prctl.2.html > > > > ``` > > PR_SET_DUMPABLE > > ... > > Normally, this flag is set to 1. However, it is reset to > > the > > current value contained in the file > > /proc/sys/fs/suid_dumpable > > (which by default has the value 0), in the following > > circumstances: > > > > * The process's effective user or group ID is changed. > > ... > > ``` > > > > This reads to me like, in a typical setup which runs Mesos agent as uid > > 0 and the task with another uid (hence the call `os::setuid(uid.get());` > > below does change uid): > > > > - If `/proc/sys/fs/suid_dumpable` is the default 0, then regardless of > > `--allow_ptrace` the result is that the launcher process becomes undumpable. > > - If `/proc/sys/fs/suid_dumpable` is 1, then regardless of > > `--allow_ptrace` the result is that the launcher process becomes dumpable. > > > > i.e., the `prctl()` call here is a noop. > > > > Maybe I misunderstood the doc but perhaps we can tweak the test to be a > > `ROOT_*` test and change to a different task user in order to verify the > > behavior? If you have tested it manually that's fine too just wanted to > > double check :) > > > > FWIW, I checked a sample container that we run (without this patch) and > > see that > > > > ``` > > # ls -l /proc/1/ > > ``` > > > > shows the files under it are all owned by root, which does appear to > > mean that the process' dumpable flag is not 1 according to > > http://man7.org/linux/man-pages/man5/proc.5.html?
Probably we could continue this discussion in the next WG meeting? - Gilbert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69615/#review212822 ----------------------------------------------------------- On Feb. 8, 2019, 1:09 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69615/ > ----------------------------------------------------------- > > (Updated Feb. 8, 2019, 1:09 p.m.) > > > Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu. > > > Bugs: MESOS-9349 > https://issues.apache.org/jira/browse/MESOS-9349 > > > Repository: mesos > > > Description > ------- > > Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to > the containerizer process(es) on Linux systems. This prevents > unprivileged containerized processes from reading information > about the containerizer process(es) from `/proc`. This gives an > additional layer of protection against leaking information to > untrusted container processes. > > > Diffs > ----- > > docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e > src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f > src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054 > src/slave/containerizer/mesos/containerizer.cpp > 35f51ad33da53b3e6a8eec275fbf3e77782b0fba > src/slave/containerizer/mesos/launch.hpp > 0a6394d56321948ad760ac69c05456319a254842 > src/slave/containerizer/mesos/launch.cpp > 7f401cdf481123b8c6cc500ac02bb7daf2613d2c > src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0 > src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6 > src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b > src/tests/containerizer/mesos_containerizer_tests.cpp > 449928c10b897061642af8ad267f8b70695940e6 > src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb > > > Diff: https://reviews.apache.org/r/69615/diff/3/ > > > Testing > ------- > > make check (Fedora 29) > > > Thanks, > > James Peach > >