[
https://issues.apache.org/jira/browse/MESOS-9898?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16888461#comment-16888461
]
James Peach commented on MESOS-9898:
------------------------------------
/cc [~jjanco]
> Add framework control over the no-new-privileges flag.
> ------------------------------------------------------
>
> Key: MESOS-9898
> URL: https://issues.apache.org/jira/browse/MESOS-9898
> Project: Mesos
> Issue Type: Improvement
> Components: containerization, HTTP API
> Reporter: James Peach
> Priority: Major
>
> Following on from MESOS-9770, we can add framework control over whether the
> no-new-privileges flag.
> The implementation is to add a `no_new_privileges` boolean to the
> {{SeccompInfo}} message that will allow a framework to toggle it on and off.
> This means that the seccomp isolator must be ordered after the nnp isolator
> so that it has priority (last writer wins in a protobuf merge). The nnp
> isolator will still unconditionally set the flag.
> Design doc:
> https://docs.google.com/document/d/1x9S94-P0-nsXHGrwY4BHZ_NEC_bTFMIsDkxxaTd5Vok/edit?usp=sharing
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
