You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mesos.apache.org by "Kevin Sweeney (JIRA)" <ji...@apache.org> on 2013/02/26 23:26:12 UTC

[jira] [Created] (MESOS-359) "port" isolation module utilizing ephemeral selinux roles

Kevin Sweeney created MESOS-359:
-----------------------------------

             Summary: "port" isolation module utilizing ephemeral selinux roles
                 Key: MESOS-359
                 URL: https://issues.apache.org/jira/browse/MESOS-359
             Project: Mesos
          Issue Type: Brainstorming
          Components: isolation
            Reporter: Kevin Sweeney
            Priority: Minor


Basic idea: before launching a task create an ephemeral SELinux role and policy restricting the process from using certain resources starting with ports. Something like (pseudocode - there's a DSL for this or you can make libselinux calls directly)
{noformat}
before task start {
create and install policy module with {
allow bind to
{requested static ports, dynamically allocated ports like %port:http%}
deny bind to port *
} for type mesos_task_t:taskid
}
run task taskid in selinux execution context user_u:object_r:mesos_task_t:taskid
at task end
{ uninstall policy module for taskid }
{noformat}

This will prevent races where 2 tasks bind the same port without explicitly requesting them or being allocated them. There is also a security gain as a compromised task cannot easily grab another task's traffic.
For inspiration see http://selinuxproject.org/page/SVirt specifically the slide deck at http://namei.org/presentations/svirt-lca-2009.pdf


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira