[
https://issues.apache.org/jira/browse/MESOS-9349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16661330#comment-16661330
]
James Peach commented on MESOS-9349:
------------------------------------
The plan here is to add an agent flag for operator visibility (probably the
default should be enabled, so we improve security by default). We can examine
the flag in the linux launcher, but from then on we can just sample and
propagate the current setting.
> Prevent ptracing of container management processes.
> ---------------------------------------------------
>
> Key: MESOS-9349
> URL: https://issues.apache.org/jira/browse/MESOS-9349
> Project: Mesos
> Issue Type: Bug
> Components: containerization, security
> Reporter: James Peach
> Priority: Major
>
> The container launcher and the built-in executors are (at least partially)
> accessible to containerized user tasks. Since these processes may contain
> secrets or hold privileged resources, we can increase the difficulty of
> attacking them by preventing user tasks attaching to them with ptrace(2).
> This amounts to calling `prctl(PR_SET_DUMPABLE, 0)`.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
