[
https://issues.apache.org/jira/browse/MESOS-359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Sweeney updated MESOS-359:
--------------------------------
Description:
Basic idea: before launching a task create an ephemeral SELinux role and policy
restricting the process from using certain resources starting with ports.
Something like (pseudocode - there's a DSL for this or you can make libselinux
calls directly)
before task start {
create and install policy module with {
allow bind to
{requested static ports, dynamically allocated ports like %port:http%}
deny bind to port *
} for type mesos_task_t:taskid
}
run task taskid in selinux execution context user_u:object_r:mesos_task_t:taskid
at task end
{ uninstall policy module for taskid }
This will prevent races where 2 tasks bind the same port without explicitly
requesting them or being allocated them. There is also a security gain as a
compromised task cannot easily grab another task's traffic.
For inspiration see http://selinuxproject.org/page/SVirt specifically the slide
deck at http://namei.org/presentations/svirt-lca-2009.pdf
was:
Basic idea: before launching a task create an ephemeral SELinux role and policy
restricting the process from using certain resources starting with ports.
Something like (pseudocode - there's a DSL for this or you can make libselinux
calls directly)
{noformat}
before task start {
create and install policy module with {
allow bind to
{requested static ports, dynamically allocated ports like %port:http%}
deny bind to port *
} for type mesos_task_t:taskid
}
run task taskid in selinux execution context user_u:object_r:mesos_task_t:taskid
at task end
{ uninstall policy module for taskid }
{noformat}
This will prevent races where 2 tasks bind the same port without explicitly
requesting them or being allocated them. There is also a security gain as a
compromised task cannot easily grab another task's traffic.
For inspiration see http://selinuxproject.org/page/SVirt specifically the slide
deck at http://namei.org/presentations/svirt-lca-2009.pdf
> "port" isolation module utilizing ephemeral selinux roles
> ---------------------------------------------------------
>
> Key: MESOS-359
> URL: https://issues.apache.org/jira/browse/MESOS-359
> Project: Mesos
> Issue Type: Brainstorming
> Components: isolation
> Reporter: Kevin Sweeney
> Priority: Minor
>
> Basic idea: before launching a task create an ephemeral SELinux role and
> policy restricting the process from using certain resources starting with
> ports. Something like (pseudocode - there's a DSL for this or you can make
> libselinux calls directly)
> before task start {
> create and install policy module with {
> allow bind to
> {requested static ports, dynamically allocated ports like %port:http%}
> deny bind to port *
> } for type mesos_task_t:taskid
> }
> run task taskid in selinux execution context
> user_u:object_r:mesos_task_t:taskid
> at task end
> { uninstall policy module for taskid }
> This will prevent races where 2 tasks bind the same port without explicitly
> requesting them or being allocated them. There is also a security gain as a
> compromised task cannot easily grab another task's traffic.
> For inspiration see http://selinuxproject.org/page/SVirt specifically the
> slide deck at http://namei.org/presentations/svirt-lca-2009.pdf
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
