[
https://issues.apache.org/jira/browse/MESOS-359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14083107#comment-14083107
]
Jie Yu commented on MESOS-359:
------------------------------
We can close this once network monitoring is resolved. Each container is gonna
have a separate network stack.
> "port" isolation module utilizing ephemeral selinux roles
> ---------------------------------------------------------
>
> Key: MESOS-359
> URL: https://issues.apache.org/jira/browse/MESOS-359
> Project: Mesos
> Issue Type: Story
> Components: isolation
> Reporter: Kevin Sweeney
> Priority: Minor
>
> Basic idea: before launching a task create an ephemeral SELinux role and
> policy restricting the process from using certain resources starting with
> ports. Something like (pseudocode - there's a DSL for this or you can make
> libselinux calls directly)
> before task start {
> create and install policy module with {
> allow bind to
> {requested static ports, dynamically allocated ports like %port:http%}
> deny bind to port *
> } for type mesos_task_t:taskid
> }
> run task taskid in selinux execution context
> user_u:object_r:mesos_task_t:taskid
> at task end
> { uninstall policy module for taskid }
> This will prevent races where 2 tasks bind the same port without explicitly
> requesting them or being allocated them. There is also a security gain as a
> compromised task cannot easily grab another task's traffic.
> For inspiration see http://selinuxproject.org/page/SVirt specifically the
> slide deck at http://namei.org/presentations/svirt-lca-2009.pdf
--
This message was sent by Atlassian JIRA
(v6.2#6252)
