Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-9898

Add framework control over the no-new-privileges flag.

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • containerization, HTTP API
    • None

    Description

      Following on from MESOS-9770, we can add framework control over whether the no-new-privileges flag.

      The implementation is to add a `no_new_privileges` boolean to the SeccompInfo message that will allow a framework to toggle it on and off. This means that the seccomp isolator must be ordered after the nnp isolator so that it has priority (last writer wins in a protobuf merge). The nnp isolator will still unconditionally set the flag.

      Design doc: https://docs.google.com/document/d/1x9S94-P0-nsXHGrwY4BHZ_NEC_bTFMIsDkxxaTd5Vok/edit?usp=sharing

      Attachments

        Issue Links

          requires

          Improvement - An improvement or enhancement to an existing feature or task. MESOS-9770 Add no-new-privileges isolator.

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              jamespeach James Peach
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: