-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/
-----------------------------------------------------------
(Updated March 6, 2019, 1:08 a.m.)
Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
Bugs: MESOS-9349
https://issues.apache.org/jira/browse/MESOS-9349
Repository: mesos
Description
-------
Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
the containerizer process(es) on Linux systems. This prevents
unprivileged containerized processes from reading information
about the containerizer process(es) from `/proc`. This gives an
additional layer of protection against leaking information to
untrusted container processes.
Diffs (updated)
-----
docs/configuration/agent.md e744c3caaf1f5c3ed274b622f2fe3eacb60096b2
src/launcher/executor.cpp fa4bcaad9ac36bf380484dadb14d0b0a86a30aae
src/slave/containerizer/mesos/containerizer.cpp
043244841a73fa3f5f7119bc38f6d3a04be8990b
src/slave/containerizer/mesos/launch.hpp
0a6394d56321948ad760ac69c05456319a254842
src/slave/containerizer/mesos/launch.cpp
88b97a572916defbe65692036be77395053eb8e8
src/slave/flags.hpp 09921cb6172202b5c1d2f8d03f9ccaeb3d0e8c94
src/slave/flags.cpp 5fe5e05ddfc92ae0da4ce9c934cd713312a1e46e
src/slave/slave.cpp 4073d8a0954932318b5b37a7b7fa02d7b336840a
src/tests/containerizer/mesos_containerizer_tests.cpp
449928c10b897061642af8ad267f8b70695940e6
src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
Diff: https://reviews.apache.org/r/69615/diff/4/
Changes: https://reviews.apache.org/r/69615/diff/3-4/
Testing
-------
make check (Fedora 29)
Thanks,
James Peach
