You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by James Peach <jp...@apache.org> on 2019/02/08 21:09:08 UTC
Re: Review Request 69615: Disable containerizer ptrace attach.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/
-----------------------------------------------------------
(Updated Feb. 8, 2019, 9:09 p.m.)
Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
Bugs: MESOS-9349
https://issues.apache.org/jira/browse/MESOS-9349
Repository: mesos
Description
-------
Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
the containerizer process(es) on Linux systems. This prevents
unprivileged containerized processes from reading information
about the containerizer process(es) from `/proc`. This gives an
additional layer of protection against leaking information to
untrusted container processes.
Diffs (updated)
-----
docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e
src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f
src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054
src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0
src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6
src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b
src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
Diff: https://reviews.apache.org/r/69615/diff/3/
Changes: https://reviews.apache.org/r/69615/diff/2-3/
Testing
-------
make check (Fedora 29)
Thanks,
James Peach
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review213473
-----------------------------------------------------------
Patch looks great!
Reviews applied: [69615]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers --disable-parallel-test-execution' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On March 6, 2019, 2:08 a.m., James Peach wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
>
> (Updated March 6, 2019, 2:08 a.m.)
>
>
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
>
>
> Bugs: MESOS-9349
> https://issues.apache.org/jira/browse/MESOS-9349
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e744c3caaf1f5c3ed274b622f2fe3eacb60096b2
> src/launcher/executor.cpp fa4bcaad9ac36bf380484dadb14d0b0a86a30aae
> src/slave/containerizer/mesos/containerizer.cpp 043244841a73fa3f5f7119bc38f6d3a04be8990b
> src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
> src/slave/containerizer/mesos/launch.cpp 88b97a572916defbe65692036be77395053eb8e8
> src/slave/flags.hpp 09921cb6172202b5c1d2f8d03f9ccaeb3d0e8c94
> src/slave/flags.cpp 5fe5e05ddfc92ae0da4ce9c934cd713312a1e46e
> src/slave/slave.cpp 4073d8a0954932318b5b37a7b7fa02d7b336840a
> src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
> src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
>
>
> Diff: https://reviews.apache.org/r/69615/diff/4/
>
>
> Testing
> -------
>
> make check (Fedora 29)
>
>
> Thanks,
>
> James Peach
>
>
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review213692
-----------------------------------------------------------
FAIL: Some of the unit tests failed. Please check the relevant logs.
Reviews applied: `['69615']`
Failed command: `Start-MesosCITesting`
All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2942/mesos-review-69615
Relevant logs:
- [mesos-tests-cmake.log](http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2942/mesos-review-69615/logs/mesos-tests-cmake.log):
```
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\zookeeper.c(3500): warning C4996: 'inet_ntoa': Use inet_ntop() or InetNtop() instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\zookeeper.c(3501): warning C4996: 'sprintf': This function or variable may be unsafe. Consider using sprintf_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\zookeeper.c(3479): warning C4101: 'addrstr': unreferenced local variable [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\recordio.c(170): warning C4267: '=': conversion from 'size_t' to 'int32_t', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\mt_adaptor.c(496): warning C4244: '=': conversion from 'time_t' to 'int32_t', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(256): warning C4090: 'function': different 'const' qualifiers [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(166): warning C4716: 'pthread_cond_broadcast': must return a value [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(205): warning C4716: 'pthread_cond_wait': must return a value [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(124): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(128): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(279): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(301): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(368): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(372): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(512): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(543): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(548): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(569): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
"D:\DCOS\mesos\src\tests\mesos-tests.vcxproj" (default target) (1) ->
"D:\DCOS\mesos\src\mesos.vcxproj" (default target) (20) ->
(ClCompile target) ->
d:\dcos\mesos\mesos\src\slave\slave.cpp(6326): error C2039: 'allow_containerizer_ptrace': is not a member of 'mesos::internal::slave::Flags' [D:\DCOS\mesos\src\mesos.vcxproj]
172 Warning(s)
1 Error(s)
Time Elapsed 00:08:54.19
```
- Mesos Reviewbot Windows
On March 5, 2019, 5:08 p.m., James Peach wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
>
> (Updated March 5, 2019, 5:08 p.m.)
>
>
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
>
>
> Bugs: MESOS-9349
> https://issues.apache.org/jira/browse/MESOS-9349
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e744c3caaf1f5c3ed274b622f2fe3eacb60096b2
> src/launcher/executor.cpp fa4bcaad9ac36bf380484dadb14d0b0a86a30aae
> src/slave/containerizer/mesos/containerizer.cpp 043244841a73fa3f5f7119bc38f6d3a04be8990b
> src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
> src/slave/containerizer/mesos/launch.cpp 88b97a572916defbe65692036be77395053eb8e8
> src/slave/flags.hpp 09921cb6172202b5c1d2f8d03f9ccaeb3d0e8c94
> src/slave/flags.cpp 5fe5e05ddfc92ae0da4ce9c934cd713312a1e46e
> src/slave/slave.cpp 4073d8a0954932318b5b37a7b7fa02d7b336840a
> src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
> src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
>
>
> Diff: https://reviews.apache.org/r/69615/diff/4/
>
>
> Testing
> -------
>
> make check (Fedora 29)
>
>
> Thanks,
>
> James Peach
>
>
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/
-----------------------------------------------------------
(Updated March 6, 2019, 1:08 a.m.)
Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
Bugs: MESOS-9349
https://issues.apache.org/jira/browse/MESOS-9349
Repository: mesos
Description
-------
Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
the containerizer process(es) on Linux systems. This prevents
unprivileged containerized processes from reading information
about the containerizer process(es) from `/proc`. This gives an
additional layer of protection against leaking information to
untrusted container processes.
Diffs (updated)
-----
docs/configuration/agent.md e744c3caaf1f5c3ed274b622f2fe3eacb60096b2
src/launcher/executor.cpp fa4bcaad9ac36bf380484dadb14d0b0a86a30aae
src/slave/containerizer/mesos/containerizer.cpp 043244841a73fa3f5f7119bc38f6d3a04be8990b
src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
src/slave/containerizer/mesos/launch.cpp 88b97a572916defbe65692036be77395053eb8e8
src/slave/flags.hpp 09921cb6172202b5c1d2f8d03f9ccaeb3d0e8c94
src/slave/flags.cpp 5fe5e05ddfc92ae0da4ce9c934cd713312a1e46e
src/slave/slave.cpp 4073d8a0954932318b5b37a7b7fa02d7b336840a
src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
Diff: https://reviews.apache.org/r/69615/diff/4/
Changes: https://reviews.apache.org/r/69615/diff/3-4/
Testing
-------
make check (Fedora 29)
Thanks,
James Peach
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by Gilbert Song <so...@gmail.com>.
> On Feb. 13, 2019, 11:07 p.m., Jiang Yan Xu wrote:
> > src/slave/containerizer/mesos/launch.cpp
> > Lines 556 (patched)
> > <https://reviews.apache.org/r/69615/diff/3/?file=2124536#file2124536line556>
> >
> > The main thing I wanted to confirm is what we chatted about offline but I didn't write down: the interpretation of this paragraph in http://man7.org/linux/man-pages/man2/prctl.2.html
> >
> > ```
> > PR_SET_DUMPABLE
> > ...
> > Normally, this flag is set to 1. However, it is reset to the
> > current value contained in the file /proc/sys/fs/suid_dumpable
> > (which by default has the value 0), in the following
> > circumstances:
> >
> > * The process's effective user or group ID is changed.
> > ...
> > ```
> >
> > This reads to me like, in a typical setup which runs Mesos agent as uid 0 and the task with another uid (hence the call `os::setuid(uid.get());` below does change uid):
> >
> > - If `/proc/sys/fs/suid_dumpable` is the default 0, then regardless of `--allow_ptrace` the result is that the launcher process becomes undumpable.
> > - If `/proc/sys/fs/suid_dumpable` is 1, then regardless of `--allow_ptrace` the result is that the launcher process becomes dumpable.
> >
> > i.e., the `prctl()` call here is a noop.
> >
> > Maybe I misunderstood the doc but perhaps we can tweak the test to be a `ROOT_*` test and change to a different task user in order to verify the behavior? If you have tested it manually that's fine too just wanted to double check :)
> >
> > FWIW, I checked a sample container that we run (without this patch) and see that
> >
> > ```
> > # ls -l /proc/1/
> > ```
> >
> > shows the files under it are all owned by root, which does appear to mean that the process' dumpable flag is not 1 according to http://man7.org/linux/man-pages/man5/proc.5.html?
Probably we could continue this discussion in the next WG meeting?
- Gilbert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review212822
-----------------------------------------------------------
On Feb. 8, 2019, 1:09 p.m., James Peach wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
>
> (Updated Feb. 8, 2019, 1:09 p.m.)
>
>
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
>
>
> Bugs: MESOS-9349
> https://issues.apache.org/jira/browse/MESOS-9349
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e
> src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f
> src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054
> src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
> src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
> src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
> src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0
> src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6
> src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b
> src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
> src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
>
>
> Diff: https://reviews.apache.org/r/69615/diff/3/
>
>
> Testing
> -------
>
> make check (Fedora 29)
>
>
> Thanks,
>
> James Peach
>
>
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by James Peach <jp...@apache.org>.
> On Feb. 14, 2019, 7:07 a.m., Jiang Yan Xu wrote:
> > src/slave/containerizer/mesos/launch.cpp
> > Lines 556 (patched)
> > <https://reviews.apache.org/r/69615/diff/3/?file=2124536#file2124536line556>
> >
> > The main thing I wanted to confirm is what we chatted about offline but I didn't write down: the interpretation of this paragraph in http://man7.org/linux/man-pages/man2/prctl.2.html
> >
> > ```
> > PR_SET_DUMPABLE
> > ...
> > Normally, this flag is set to 1. However, it is reset to the
> > current value contained in the file /proc/sys/fs/suid_dumpable
> > (which by default has the value 0), in the following
> > circumstances:
> >
> > * The process's effective user or group ID is changed.
> > ...
> > ```
> >
> > This reads to me like, in a typical setup which runs Mesos agent as uid 0 and the task with another uid (hence the call `os::setuid(uid.get());` below does change uid):
> >
> > - If `/proc/sys/fs/suid_dumpable` is the default 0, then regardless of `--allow_ptrace` the result is that the launcher process becomes undumpable.
> > - If `/proc/sys/fs/suid_dumpable` is 1, then regardless of `--allow_ptrace` the result is that the launcher process becomes dumpable.
> >
> > i.e., the `prctl()` call here is a noop.
> >
> > Maybe I misunderstood the doc but perhaps we can tweak the test to be a `ROOT_*` test and change to a different task user in order to verify the behavior? If you have tested it manually that's fine too just wanted to double check :)
> >
> > FWIW, I checked a sample container that we run (without this patch) and see that
> >
> > ```
> > # ls -l /proc/1/
> > ```
> >
> > shows the files under it are all owned by root, which does appear to mean that the process' dumpable flag is not 1 according to http://man7.org/linux/man-pages/man5/proc.5.html?
>
> Gilbert Song wrote:
> Probably we could continue this discussion in the next WG meeting?
In practice, if you switch uid, then the process will become non-dumpable. However, this patch also covers the executors, which I think has some (limited) value. It's possible that this may mitigate future container escapes (apparantly this was part of the fix for CVE-2016-9962).
As for explicitly passing the flag down, rather than depending on the implicit kernel behaviour, I argue that explicit is preferable since it is reliable and predictable in all cases. I'll update to that ptrace is allowed (if specified) after switching UID.
- James
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review212822
-----------------------------------------------------------
On Feb. 8, 2019, 9:09 p.m., James Peach wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
>
> (Updated Feb. 8, 2019, 9:09 p.m.)
>
>
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
>
>
> Bugs: MESOS-9349
> https://issues.apache.org/jira/browse/MESOS-9349
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e
> src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f
> src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054
> src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
> src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
> src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
> src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0
> src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6
> src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b
> src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
> src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
>
>
> Diff: https://reviews.apache.org/r/69615/diff/3/
>
>
> Testing
> -------
>
> make check (Fedora 29)
>
>
> Thanks,
>
> James Peach
>
>
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by Jiang Yan Xu <ya...@jxu.me>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review212822
-----------------------------------------------------------
src/slave/containerizer/mesos/launch.cpp
Lines 556 (patched)
<https://reviews.apache.org/r/69615/#comment298707>
The main thing I wanted to confirm is what we chatted about offline but I didn't write down: the interpretation of this paragraph in http://man7.org/linux/man-pages/man2/prctl.2.html
```
PR_SET_DUMPABLE
...
Normally, this flag is set to 1. However, it is reset to the
current value contained in the file /proc/sys/fs/suid_dumpable
(which by default has the value 0), in the following
circumstances:
* The process's effective user or group ID is changed.
...
```
This reads to me like, in a typical setup which runs Mesos agent as uid 0 and the task with another uid (hence the call `os::setuid(uid.get());` below does change uid):
- If `/proc/sys/fs/suid_dumpable` is the default 0, then regardless of `--allow_ptrace` the result is that the launcher process becomes undumpable.
- If `/proc/sys/fs/suid_dumpable` is 1, then regardless of `--allow_ptrace` the result is that the launcher process becomes dumpable.
i.e., the `prctl()` call here is a noop.
Maybe I misunderstood the doc but perhaps we can tweak the test to be a `ROOT_*` test and change to a different task user in order to verify the behavior? If you have tested it manually that's fine too just wanted to double check :)
FWIW, I checked a sample container that we run (without this patch) and see that
```
# ls -l /proc/1/
```
shows the files under it are all owned by root, which does appear to mean that the process' dumpable flag is not 1 according to http://man7.org/linux/man-pages/man5/proc.5.html?
- Jiang Yan Xu
On Feb. 8, 2019, 1:09 p.m., James Peach wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
>
> (Updated Feb. 8, 2019, 1:09 p.m.)
>
>
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
>
>
> Bugs: MESOS-9349
> https://issues.apache.org/jira/browse/MESOS-9349
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e
> src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f
> src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054
> src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
> src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
> src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
> src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0
> src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6
> src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b
> src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
> src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
>
>
> Diff: https://reviews.apache.org/r/69615/diff/3/
>
>
> Testing
> -------
>
> make check (Fedora 29)
>
>
> Thanks,
>
> James Peach
>
>
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review212878
-----------------------------------------------------------
FAIL: Failed to apply the current review.
Failed command: `python.exe .\support\apply-reviews.py -n -r 69615`
All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2894/mesos-review-69615
Relevant logs:
- [apply-review-69615.log](http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2894/mesos-review-69615/logs/apply-review-69615.log):
```
error: patch failed: src/slave/containerizer/mesos/containerizer.cpp:1944
error: src/slave/containerizer/mesos/containerizer.cpp: patch does not apply
```
- Mesos Reviewbot Windows
On Feb. 8, 2019, 9:09 p.m., James Peach wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
>
> (Updated Feb. 8, 2019, 9:09 p.m.)
>
>
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
>
>
> Bugs: MESOS-9349
> https://issues.apache.org/jira/browse/MESOS-9349
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e
> src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f
> src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054
> src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
> src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
> src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
> src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0
> src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6
> src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b
> src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
> src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
>
>
> Diff: https://reviews.apache.org/r/69615/diff/3/
>
>
> Testing
> -------
>
> make check (Fedora 29)
>
>
> Thanks,
>
> James Peach
>
>
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review212930
-----------------------------------------------------------
Bad review!
Reviews applied: [69615]
Error:
2019-02-19 22:06:02 URL:https://reviews.apache.org/r/69615/diff/raw/ [14493/14493] -> "69615.patch" [1]
error: patch failed: src/slave/containerizer/mesos/containerizer.cpp:1944
error: src/slave/containerizer/mesos/containerizer.cpp: patch does not apply
- Mesos Reviewbot
On Feb. 8, 2019, 9:09 p.m., James Peach wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
>
> (Updated Feb. 8, 2019, 9:09 p.m.)
>
>
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
>
>
> Bugs: MESOS-9349
> https://issues.apache.org/jira/browse/MESOS-9349
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e
> src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f
> src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054
> src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
> src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
> src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
> src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0
> src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6
> src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b
> src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
> src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
>
>
> Diff: https://reviews.apache.org/r/69615/diff/3/
>
>
> Testing
> -------
>
> make check (Fedora 29)
>
>
> Thanks,
>
> James Peach
>
>
Re: Review Request 69615: Disable containerizer ptrace attach.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review212680
-----------------------------------------------------------
PASS: Mesos patch 69615 was successfully built and tested.
Reviews applied: `['69615']`
All the build artifacts available at: http://dcos-win.westus2.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2869/mesos-review-69615
- Mesos Reviewbot Windows
On Feb. 8, 2019, 9:09 p.m., James Peach wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
>
> (Updated Feb. 8, 2019, 9:09 p.m.)
>
>
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
>
>
> Bugs: MESOS-9349
> https://issues.apache.org/jira/browse/MESOS-9349
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e
> src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f
> src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054
> src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba
> src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842
> src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c
> src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0
> src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6
> src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b
> src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6
> src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb
>
>
> Diff: https://reviews.apache.org/r/69615/diff/3/
>
>
> Testing
> -------
>
> make check (Fedora 29)
>
>
> Thanks,
>
> James Peach
>
>