[
https://issues.apache.org/jira/browse/MESOS-7476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16002824#comment-16002824
]
James Peach commented on MESOS-7476:
------------------------------------
I propose to only change the way the `--allowed_capabilities` flag behaves.
Currently this flag grants all capabilities because it assumes that the
effective, permitted and inheritable sets will be cleared by the exec. This
patch changes the behavior of this flag to explicitly pass the bounding set
down so that if task capabilities are not specified, a bounding set can be
applied without adding to the other capability sets.
> Restrict capabilities to only the bounding set.
> -----------------------------------------------
>
> Key: MESOS-7476
> URL: https://issues.apache.org/jira/browse/MESOS-7476
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Reporter: James Peach
> Assignee: James Peach
>
> As a security improvement, it would be useful to be able to set the bounding
> capability set without also granting those capabilities. This is what the
> {{--allowed_capabilities}} flag sounds like it does.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
