> On Jan. 3, 2019, 1:58 a.m., Gilbert Song wrote: > > src/linux/seccomp/seccomp.cpp > > Lines 138 (patched) > > <https://reviews.apache.org/r/68018/diff/11/?file=2116580#file2116580line138> > > > > Do I understand correctly that this would not impact on the > > setuid/setgid after pivot_root in mesos/launch.cpp? > > > > The side effect is on the task: the task cannot setuid/setgid and > > cannot change capabilities?
> Do I understand correctly that this would not impact on the setuid/setgid > after pivot_root in mesos/launch.cpp? Yes, correct. >From https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt: ``` Note that no_new_privs does not prevent privilege changes that do not involve execve. An appropriately privileged task can still call setuid(2) and receive SCM_RIGHTS datagrams. ``` AFAIU, `NO_NEW_PRIVS` prevents changing current setuid/setgid/capabilities when calling `execve` with these bits set on executable. > On Jan. 3, 2019, 1:58 a.m., Gilbert Song wrote: > > src/linux/seccomp/seccomp.cpp > > Lines 141-144 (patched) > > <https://reviews.apache.org/r/68018/diff/11/?file=2116580#file2116580line141> > > > > Instead of always set `SCMP_FLTATR_CTL_NNP`. Should we consider to > > check root privileges first (e.g., `geteuid() != 0`)? By default, libseccomp sets `true` to the `SCMP_FLTATR_CTL_NNP` flag https://github.com/seccomp/libseccomp/blob/1e64feb5f1a9ea02687228e3073e8b784a04ce46/src/db.c#L960 Hence, all Seccomp test pass even after removing `seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 1)`. Also, this means that Docker daemon launches its containers with this flag set by default (as they also use libseccomp). Disabling `SCMP_FLTATR_CTL_NNP` flag for a `root` means that Seccomp filter can be reverted anytime. So, disabling this flag is meaningless. - Andrei ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68018/#review211623 ----------------------------------------------------------- On Nov. 8, 2018, 3:24 p.m., Andrei Budnik wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68018/ > ----------------------------------------------------------- > > (Updated Nov. 8, 2018, 3:24 p.m.) > > > Review request for mesos, Gilbert Song, Jie Yu, James Peach, and Qian Zhang. > > > Bugs: MESOS-9034 > https://issues.apache.org/jira/browse/MESOS-9034 > > > Repository: mesos > > > Description > ------- > > `SeccompFilter` class is a wrapper for `libseccomp` API. Its main > purpose is to provide a translation of the `ContainerSeccompProfile` > message into calls of `libseccomp` API. > > > Diffs > ----- > > src/CMakeLists.txt bde070445b644e15d46c390d1c983caabaa1fec8 > src/Makefile.am 7a4904a3d67479267087fd2313a263d8218843fa > src/linux/seccomp/seccomp.hpp PRE-CREATION > src/linux/seccomp/seccomp.cpp PRE-CREATION > > > Diff: https://reviews.apache.org/r/68018/diff/14/ > > > Testing > ------- > > > Thanks, > > Andrei Budnik > >
