You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by James Peach <jp...@apache.org> on 2019/03/05 17:15:46 UTC

Re: Review Request 69615: Disable containerizer ptrace attach.


> On Feb. 14, 2019, 7:07 a.m., Jiang Yan Xu wrote:
> > src/slave/containerizer/mesos/launch.cpp
> > Lines 556 (patched)
> > <https://reviews.apache.org/r/69615/diff/3/?file=2124536#file2124536line556>
> >
> >     The main thing I wanted to confirm is what we chatted about offline but I didn't write down: the interpretation of this paragraph in http://man7.org/linux/man-pages/man2/prctl.2.html
> >     
> >     ```
> >     PR_SET_DUMPABLE
> >     ...
> >                   Normally, this flag is set to 1.  However, it is reset to the
> >                   current value contained in the file /proc/sys/fs/suid_dumpable
> >                   (which by default has the value 0), in the following
> >                   circumstances:
> >     
> >                   *  The process's effective user or group ID is changed.
> >     ...
> >     ```
> >     
> >     This reads to me like, in a typical setup which runs Mesos agent as uid 0 and the task with another uid (hence the call `os::setuid(uid.get());` below does change uid):
> >     
> >     - If `/proc/sys/fs/suid_dumpable` is the default 0, then regardless of `--allow_ptrace` the result is that the launcher process becomes undumpable.
> >     - If `/proc/sys/fs/suid_dumpable` is 1, then regardless of `--allow_ptrace` the result is that the launcher process becomes dumpable.
> >     
> >     i.e., the `prctl()` call here is a noop.
> >     
> >     Maybe I misunderstood the doc but perhaps we can tweak the test to be a `ROOT_*` test and change to a different task user in order to verify the behavior? If you have tested it manually that's fine too just wanted to double check :) 
> >     
> >     FWIW, I checked a sample container that we run (without this patch) and see that
> >     
> >     ```
> >     # ls -l /proc/1/
> >     ```
> >     
> >     shows the files under it are all owned by root, which does appear to mean that the process' dumpable flag is not 1 according to http://man7.org/linux/man-pages/man5/proc.5.html?
> 
> Gilbert Song wrote:
>     Probably we could continue this discussion in the next WG meeting?

In practice, if you switch uid, then the process will become non-dumpable. However, this patch also covers the executors, which I think has some (limited) value. It's possible that this may mitigate future container escapes (apparantly this was part of the fix for  CVE-2016-9962).

As for explicitly passing the flag down, rather than depending on the implicit kernel behaviour, I argue that explicit is preferable since it is reliable and predictable in all cases. I'll update to that ptrace is allowed (if specified) after switching UID.


- James


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69615/#review212822
-----------------------------------------------------------


On Feb. 8, 2019, 9:09 p.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69615/
> -----------------------------------------------------------
> 
> (Updated Feb. 8, 2019, 9:09 p.m.)
> 
> 
> Review request for mesos, Xudong Ni, Gilbert Song, Jie Yu, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-9349
>     https://issues.apache.org/jira/browse/MESOS-9349
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Use `prctl(PR_SET_DUMPABLE)` to disable the ability to attach to
> the containerizer process(es) on Linux systems. This prevents
> unprivileged containerized processes from reading information
> about the containerizer process(es) from `/proc`. This gives an
> additional layer of protection against leaking information to
> untrusted container processes.
> 
> 
> Diffs
> -----
> 
>   docs/configuration/agent.md a4015c409d00a4c117df6c869d5ba5072bcfe58e 
>   src/launcher/default_executor.cpp 5837cfa4deba557cae43112092ff24b97137951f 
>   src/launcher/executor.cpp f962e800f23d5582b1bc04a263253893492a5054 
>   src/slave/containerizer/mesos/containerizer.cpp 35f51ad33da53b3e6a8eec275fbf3e77782b0fba 
>   src/slave/containerizer/mesos/launch.hpp 0a6394d56321948ad760ac69c05456319a254842 
>   src/slave/containerizer/mesos/launch.cpp 7f401cdf481123b8c6cc500ac02bb7daf2613d2c 
>   src/slave/flags.hpp 7346ba5b711a8353a4bc1d7dcd2f6184b777ddd0 
>   src/slave/flags.cpp 066b84f528b4c888dde399e0b5d5fe5531934de6 
>   src/slave/slave.cpp 0182dd2ca326723e96eef8c072696ad3c873de0b 
>   src/tests/containerizer/mesos_containerizer_tests.cpp 449928c10b897061642af8ad267f8b70695940e6 
>   src/tests/slave_tests.cpp 22a0295086ae4f4ec26df00a0e077eecfa27f1fb 
> 
> 
> Diff: https://reviews.apache.org/r/69615/diff/3/
> 
> 
> Testing
> -------
> 
> make check (Fedora 29)
> 
> 
> Thanks,
> 
> James Peach
> 
>