This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch 1.6.x in repository https://gitbox.apache.org/repos/asf/mesos.git
commit d4852aa344b45025bf868c3d337b75beaa3795d4 Author: Andrei Budnik <[email protected]> AuthorDate: Mon Feb 11 12:51:28 2019 -0800 Enabled launcher sealing depending on corresponding compiler flag. This patch enables containerizer launcher sealing when `--enable-launcher-sealing` compiler flag is enabled. By default, this compiler flag is disabled, hence launcher sealing is disabled. Review: https://reviews.apache.org/r/69950/ (cherry picked from commit d1bff48a677771f77dbcbdd55acfaeae2afa6b9a) --- src/launcher/executor.cpp | 8 ++++---- src/slave/containerizer/mesos/containerizer.cpp | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/launcher/executor.cpp b/src/launcher/executor.cpp index e10b4ab..3ae3a56 100644 --- a/src/launcher/executor.cpp +++ b/src/launcher/executor.cpp @@ -82,9 +82,9 @@ #include "internal/devolve.hpp" #include "internal/evolve.hpp" -#ifdef __linux__ +#ifdef ENABLE_LAUNCHER_SEALING #include "linux/memfd.hpp" -#endif // __linux__ +#endif // ENABLE_LAUNCHER_SEALING #include "logging/logging.hpp" @@ -485,7 +485,7 @@ protected: // Determine the mesos containerizer binary depends on whether we // need to clone and seal it on linux. string initPath = path::join(launcherDir, MESOS_CONTAINERIZER); -#ifdef __linux__ +#ifdef ENABLE_LAUNCHER_SEALING // Clone the launcher binary in memory for security concerns. Try<int_fd> memFd = memfd::cloneSealedFile(initPath); if (memFd.isError()) { @@ -495,7 +495,7 @@ protected: } initPath = "/proc/self/fd/" + stringify(memFd.get()); -#endif // __linux__ +#endif // ENABLE_LAUNCHER_SEALING // Fork the child using launcher. vector<string> argv(2); diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp index 7f00084..d195012 100644 --- a/src/slave/containerizer/mesos/containerizer.cpp +++ b/src/slave/containerizer/mesos/containerizer.cpp @@ -50,9 +50,9 @@ #include "hook/manager.hpp" -#ifdef __linux__ +#ifdef ENABLE_LAUNCHER_SEALING #include "linux/memfd.hpp" -#endif // __linux__ +#endif // ENABLE_LAUNCHER_SEALING #include "module/manager.hpp" @@ -571,7 +571,7 @@ Try<MesosContainerizer*> MesosContainerizer::create( Option<int_fd> initMemFd; -#ifdef __linux__ +#ifdef ENABLE_LAUNCHER_SEALING // Clone the launcher binary in memory for security concerns. Try<int_fd> memFd = memfd::cloneSealedFile( path::join(flags.launcher_dir, MESOS_CONTAINERIZER)); @@ -584,7 +584,7 @@ Try<MesosContainerizer*> MesosContainerizer::create( } initMemFd = memFd.get(); -#endif // __linux__ +#endif // ENABLE_LAUNCHER_SEALING return new MesosContainerizer(Owned<MesosContainerizerProcess>( new MesosContainerizerProcess(
