sys` mount point in Mesos containers should also include `nosuid,noexec,nodev` mount options.

Jason Lai (JIRA) Thu, 08 Mar 2018 18:50:55 -0800

Jason Lai created MESOS-8654:
--------------------------------

             Summary: The `/proc/sys` mount point in Mesos containers should 
also include `nosuid,noexec,nodev` mount options.
                 Key: MESOS-8654
                 URL: https://issues.apache.org/jira/browse/MESOS-8654
             Project: Mesos
          Issue Type: Bug
          Components: containerization, security
            Reporter: Jason Lai
            Assignee: Jason Lai



After {{/proc/sys}} gets remounted as read-only in a Mesos container, its mount 
options becomes {{ro,relatime}} only. It needs to share other mount options of 
{{/proc}}, including {{nosuid,noexec,nodev}} for security reasons.

Additional questions: shall we also sandbox other important system mount 
points, like Systemd does with 
[{{ProtectSystem=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=]
 (or at least 
[{{ProtectKernelTunables=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=])
 and Docker does with {{docker run}} without {{--privileged}}?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (MESOS-8654) The `/proc/sys` mount point in Mesos containers should also include `nosuid,noexec,nodev` mount options.

Reply via email to