You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Gavin (JIRA)" <ji...@apache.org> on 2019/04/29 09:27:51 UTC
[jira] [Issue Comment Deleted] (MESOS-8654) The `/proc/sys` mount
point in Mesos containers should also include `nosuid,noexec,nodev` mount
options.
[ https://issues.apache.org/jira/browse/MESOS-8654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gavin updated MESOS-8654:
-------------------------
Comment: was deleted
(was: www.rtat.net)
> The `/proc/sys` mount point in Mesos containers should also include `nosuid,noexec,nodev` mount options.
> --------------------------------------------------------------------------------------------------------
>
> Key: MESOS-8654
> URL: https://issues.apache.org/jira/browse/MESOS-8654
> Project: Mesos
> Issue Type: Bug
> Components: containerization, security
> Reporter: Jason Lai
> Assignee: Jason Lai
> Priority: Critical
> Labels: easyfix, patch, security
> Fix For: 1.6.0
>
>
> After {{/proc/sys}} gets remounted as read-only in a Mesos container, its mount options becomes {{ro,relatime}} only. It needs to share other mount options of {{/proc}}, including {{nosuid,noexec,nodev}} for security reasons.
> Additional questions: shall we also sandbox other important system mount points, like Systemd does with [{{ProtectSystem=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=] (or at least [{{ProtectKernelTunables=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=]) and Docker does with {{docker run}} without {{--privileged}}?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)