Review Request 66034: Remount several proc filesystem entries as read-only.

Mon, 12 Mar 2018 18:26:33 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/
-----------------------------------------------------------

Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James 
Peach, and Zhitao Li.


Bugs: MESOS-8654
    https://issues.apache.org/jira/browse/MESOS-8654


Repository: mesos


Description
-------

Several entries under the proc FS within Mesos containers need to be
remounted as readonly for improved security reasons.

The list should include the important ones introduced by Systemd's
`ProtectKernelTunables` option:

* `/proc/bus`
* `/proc/fs`
* `/proc/irq`
* `/proc/sys`
* `/proc/sysrq-trigger`

It is particularly necessary to remount `/proc/sysrq-trigger` as
read-only. Otherwise, it would be possible for users running in
containers as `root` to perform privileged operations, such as host
reboot.

Extra mount options should include `nosuid,noexec,nodev` (see also
`mount(2)` for detailed explanations of the options).


Diffs
-----

  src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a 


Diff: https://reviews.apache.org/r/66034/diff/1/


Testing
-------

The mount table of the container launched by the patched version of 
`mesos-containerizer launch` include the entries listed above, with 
`nosuid,noexec,nodev` mount points.
```
$ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch 
--launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
Marked '/' as rslave
Prepared mount 
'{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
Prepared mount 
'{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
Prepared mount 
'{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
Changing root to /home/jlai/containers/rootfs
bash-4.4# findmnt -a
TARGET                  SOURCE                      FSTYPE  OPTIONS
/                       alpine                      overlay 
rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
|-/etc/hostname         /dev/dm-0[/etc/hostname]    ext4    
rw,noatime,errors=panic,data=ordered
|-/etc/hosts            /dev/dm-0[/etc/hosts]       ext4    
rw,noatime,errors=panic,data=ordered
|-/etc/resolv.conf      /dev/dm-0[/etc/resolv.conf] ext4    
rw,noatime,errors=panic,data=ordered
|-/proc                 proc                        proc    
rw,nosuid,nodev,noexec,relatime
| |-/proc/bus           proc[/bus]                  proc    
ro,nosuid,nodev,noexec,relatime
| |-/proc/fs            proc[/fs]                   proc    
ro,nosuid,nodev,noexec,relatime
| |-/proc/irq           proc[/irq]                  proc    
ro,nosuid,nodev,noexec,relatime
| |-/proc/sys           proc[/sys]                  proc    
ro,nosuid,nodev,noexec,relatime
| `-/proc/sysrq-trigger proc[/sysrq-trigger]        proc    
ro,nosuid,nodev,noexec,relatime
|-/sys                  sysfs                       sysfs   
ro,nosuid,nodev,noexec,relatime
`-/dev                  tmpfs                       tmpfs   
rw,nosuid,noexec,mode=755
  |-/dev/pts            devpts                      devpts  
rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
  `-/dev/shm            tmpfs                       tmpfs   rw,nosuid,nodev
```


Thanks,

Jason Lai

Reply via email to