[
https://issues.apache.org/jira/browse/MESOS-8654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16392339#comment-16392339
]
Jason Lai commented on MESOS-8654:
----------------------------------
Oh I forgot to mention, also it is absolutely necessary to remount
{{/proc/sysrq-trigger}} as read-only. Otherwise users can [perform malicious
operations|https://en.wikipedia.org/wiki/Magic_SysRq_key] like rebooting the
host.
> The `/proc/sys` mount point in Mesos containers should also include
> `nosuid,noexec,nodev` mount options.
> --------------------------------------------------------------------------------------------------------
>
> Key: MESOS-8654
> URL: https://issues.apache.org/jira/browse/MESOS-8654
> Project: Mesos
> Issue Type: Bug
> Components: containerization, security
> Reporter: Jason Lai
> Assignee: Jason Lai
> Priority: Minor
> Labels: easyfix, patch, security
>
> After {{/proc/sys}} gets remounted as read-only in a Mesos container, its
> mount options becomes {{ro,relatime}} only. It needs to share other mount
> options of {{/proc}}, including {{nosuid,noexec,nodev}} for security reasons.
> Additional questions: shall we also sandbox other important system mount
> points, like Systemd does with
> [{{ProtectSystem=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=]
> (or at least
> [{{ProtectKernelTunables=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=])
> and Docker does with {{docker run}} without {{--privileged}}?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
