[MESOS-8654] The `/proc/sys` mount point in Mesos containers should also include `nosuid,noexec,nodev` mount options. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.6.0
Component/s: containerization, security
Labels:
- easyfix
- patch
- security

Description

After /proc/sys gets remounted as read-only in a Mesos container, its mount options becomes ro,relatime only. It needs to share other mount options of /proc, including nosuid,noexec,nodev for security reasons.

Additional questions: shall we also sandbox other important system mount points, like Systemd does with ProtectSystem= (or at least ProtectKernelTunables=) and Docker does with docker run without --privileged?

Attachments

Activity

People

Assignee:: Jason Lai

Reporter:: Jason Lai

Shepherd:: Jie Yu

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Mar/18 02:49

Updated:: 29/Apr/19 09:27

Resolved:: 16/Mar/18 23:43