Jason Lai commented on MESOS-8654:

[~jieyu], [~gilbert], [~idownes] The patch for this issue is now available at 
[RB #66034|https://reviews.apache.org/r/66034/]. cc [~zhitao] & [~cinchurge]

> The `/proc/sys` mount point in Mesos containers should also include 
> `nosuid,noexec,nodev` mount options.
> --------------------------------------------------------------------------------------------------------
>                 Key: MESOS-8654
>                 URL: https://issues.apache.org/jira/browse/MESOS-8654
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization, security
>            Reporter: Jason Lai
>            Assignee: Jason Lai
>            Priority: Critical
>              Labels: easyfix, patch, security
> After {{/proc/sys}} gets remounted as read-only in a Mesos container, its 
> mount options becomes {{ro,relatime}} only. It needs to share other mount 
> options of {{/proc}}, including {{nosuid,noexec,nodev}} for security reasons.
> Additional questions: shall we also sandbox other important system mount 
> points, like Systemd does with 
> [{{ProtectSystem=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=]
>  (or at least 
> [{{ProtectKernelTunables=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=])
>  and Docker does with {{docker run}} without {{--privileged}}?

This message was sent by Atlassian JIRA

Reply via email to