Restrict mount point permission for /dev/shm

/dev/shm is a bindmount on /run/mesos/<containerid>/.. This directory is a tmpfs created with very wide permssions. Sadly it allows any container without a rootfs to view and read files in this directory. User expectations for /dev/shm can be to store private elements and they can forget to set special permissions. Like sandboxes were made private by default, this patch makes /dev/shm really private. Change-Id: I4db1ede989af1c0bb9a88ef04cf4802c9c3e2b49 JIRA: MESOS-5187
criteo-forks · Sep 17, 2021 · 85f7a72 · 85f7a72
1 parent 39c6c8c
commit 85f7a72
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp b/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp
@@ -123,6 +123,13 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
     }
   }
 
+  Option<string> user;
+  if (containerConfig.has_user()) {
+    user = containerConfig.user();
+  } else {
+    user = "0";
+  }
+
   // Get the container's IPC mode and size of /dev/shm.
   if (containerConfig.has_container_info() &&
       containerConfig.container_info().has_linux_info()) {
@@ -172,7 +179,8 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
             "tmpfs",
             path::join(containerConfig.rootfs(), "/dev/shm"),
             "tmpfs",
-            "mode=1777",
+            "mode=0700",
+            strings::format("uid=%s", user),
             MS_NOSUID | MS_NODEV | MS_STRICTATIME);
       }
     } else {
@@ -199,8 +207,8 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
               "tmpfs",
               MS_NOSUID | MS_NODEV | MS_STRICTATIME,
               shmSize.isSome() ?
-                strings::format("mode=1777,size=%d", shmSize->bytes()).get() :
-                "mode=1777");
+                strings::format("mode=0700,size=%d,uid=%s", shmSize->bytes(), user).get() :
+                strings::format("mode=0700,uid=%s", user));
 
           if (mnt.isError()) {
             return Failure("Failed to mount '" + shmPath + "': " + mnt.error());
@@ -267,7 +275,8 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
             "tmpfs",
             path::join(containerConfig.rootfs(), "/dev/shm"),
             "tmpfs",
-            "mode=1777",
+            "mode=0700",
+            strings::format("uid=%s", user),
             MS_NOSUID | MS_NODEV | MS_STRICTATIME);
       }
     } else {
@@ -295,8 +304,8 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
               "tmpfs",
               MS_NOSUID | MS_NODEV | MS_STRICTATIME,
               shmSize.isSome() ?
-                strings::format("mode=1777,size=%d", shmSize->bytes()).get() :
-                "mode=1777");
+                strings::format("mode=0700,size=%d,uid=%s", shmSize->bytes(), user).get() :
+                strings::format("mode=0700,uid=%s", user));
 
           if (mnt.isError()) {
             return Failure("Failed to mount '" + shmPath + "': " + mnt.error());