-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/
-----------------------------------------------------------
(Updated Feb. 8, 2019, 9:09 p.m.)
Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
Bugs: MESOS-9349
https://issues.apache.org/jira/browse/MESOS-9349
Repository: mesos
Description
-------
Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
the containerizer process(es) on Linux systems. This prevents
unprivileged containerized processes from reading information
about the containerizer process(es) from `/proc`. This gives an
additional layer of protection against leaking information to
untrusted container processes.
Diffs (updated)
-----
docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e
src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f
src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054
src/slave/containerizer/mesos/containerizer.cpp
35f51ad33da53b3e6a8eec275fbf3e77782b0fba
src/slave/containerizer/mesos/launch.hpp
0a6394d56321948ad760ac69c05456319a254842
src/slave/containerizer/mesos/launch.cpp
7f401cdf481123b8c6cc500ac02bb7daf2613d2c
src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0
src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6
src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b
src/tests/containerizer/mesos_containerizer_tests.cpp
449928c10b897061642af8ad267f8b70695940e6
src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
Diff: https://reviews.apache.org/r/69615/diff/3/
Changes: https://reviews.apache.org/r/69615/diff/2-3/
Testing
-------
make check (Fedora 29)
Thanks,
James Peach
