Review Request 59184: Add support for explicitly setting bounding capabilities.

James Peach Thu, 11 May 2017 09:45:09 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59184/
-----------------------------------------------------------


Review request for mesos, Benjamin Bannier and Jie Yu.


Bugs: MESOS-7476
    https://issues.apache.org/jira/browse/MESOS-7476


Repository: mesos


Description
-------

The linux/capabilities isolator implemented the --allowed_capabilities
option by granting all the allowed capabilities. This depended on the
granted capabilities being removed across exec, leaving only the changes
to the bounding set in the child process.

This change explicitly populates the bounding set in the case where
--allowed_capabilities has been set and the task itself has not been
granted any capabilities. This improves the security of tasks since it
is now possible to configure the bounding set without potentially giving
privilege to the task.


Diffs
-----

  include/mesos/slave/containerizer.proto 
41f2905df690bfe88ed762f1cd1246689fa4d3ea 
  src/launcher/executor.cpp b05f73e539c22d4d40f07df76168a06373b818d4 
  src/slave/containerizer/mesos/isolators/linux/capabilities.cpp 
60d22aa877c1ab62a08222e5efe8800e337684da 
  src/slave/containerizer/mesos/launch.cpp 
2835beff9dbfa7f2a1cac306a58e2b1d66c14342 
  src/tests/containerizer/linux_capabilities_isolator_tests.cpp 
f9d2a532bb5bef4654474cb171911952218780fa 


Diff: https://reviews.apache.org/r/59184/diff/1/


Testing
-------

make check (Fedora 25)


Thanks,

James Peach

Review Request 59184: Add support for explicitly setting bounding capabilities.

Reply via email to