Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-359

"port" isolation module utilizing ephemeral selinux roles

    XMLWordPrintableJSON

Details

    • Story
    • Status: Resolved
    • Minor
    • Resolution: Won't Fix
    • None
    • None
    • containerization
    • None

    Description

      Basic idea: before launching a task create an ephemeral SELinux role and policy restricting the process from using certain resources starting with ports. Something like (pseudocode - there's a DSL for this or you can make libselinux calls directly)

      before task start {
      create and install policy module with

      { allow bind to {requested static ports, dynamically allocated ports like %port:http%}

      deny bind to port *
      } for type mesos_task_t:taskid
      }
      run task taskid in selinux execution context user_u:object_r:mesos_task_t:taskid
      at task end

      { uninstall policy module for taskid }

      This will prevent races where 2 tasks bind the same port without explicitly requesting them or being allocated them. There is also a security gain as a compromised task cannot easily grab another task's traffic.
      For inspiration see http://selinuxproject.org/page/SVirt specifically the slide deck at http://namei.org/presentations/svirt-lca-2009.pdf

      Attachments

        Issue Links

          is blocked by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MESOS-1228 Container level network monitoring

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              kevints Kevin Sweeney
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: