[MESOS-9771] Mask sensitive procfs paths. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.9.0
Component/s: containerization
Labels:
None

Target Version/s:

1.9.0

Description

We already have a set of procfs paths that we mark read-only in the containerizer, but there are additional paths that are considered sensitive by other containerizers and are masked altogether:

                                "/proc/asound"
                                "/proc/acpi"
                                "/proc/kcore"
                                "/proc/keys"
                                "/proc/latency_stats"
                                "/proc/timer_list"
                                "/proc/timer_stats"
                                "/proc/sched_debug"
                                "/sys/firmware"
                                "/proc/scsi"

Masking is done by mounting /dev/null on files, and an empty, readonly tmpfs on directories.

Attachments

Activity

People

Assignee:: James Peach

Reporter:: James Peach

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 07/May/19 05:35

Updated:: 24/May/19 03:05

Resolved:: 24/May/19 03:05