From 85f7a7264c3a251784c74b525a6d438caf9619a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Seux?= <g.seux@criteo.com>
Date: Tue, 14 Sep 2021 12:20:30 +0200
Subject: [PATCH] Restrict mount point permission for /dev/shm

/dev/shm is a bindmount on /run/mesos/<containerid>/..
This directory is a tmpfs created with very wide permssions. Sadly it
allows any container without a rootfs to view and read files in this
directory.
User expectations for /dev/shm can be to store private elements and they
can forget to set special permissions. Like sandboxes were made private
by default, this patch makes /dev/shm really private.

Change-Id: I4db1ede989af1c0bb9a88ef04cf4802c9c3e2b49
JIRA: MESOS-5187
---
 .../mesos/isolators/namespaces/ipc.cpp        | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp b/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp
index 45f2739a265..a4b4ccb2539 100644
--- a/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp
+++ b/src/slave/containerizer/mesos/isolators/namespaces/ipc.cpp
@@ -123,6 +123,13 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
     }
   }
 
+  Option<string> user;
+  if (containerConfig.has_user()) {
+    user = containerConfig.user();
+  } else {
+    user = "0";
+  }
+
   // Get the container's IPC mode and size of /dev/shm.
   if (containerConfig.has_container_info() &&
       containerConfig.container_info().has_linux_info()) {
@@ -172,7 +179,8 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
             "tmpfs",
             path::join(containerConfig.rootfs(), "/dev/shm"),
             "tmpfs",
-            "mode=1777",
+            "mode=0700",
+            strings::format("uid=%s", user),
             MS_NOSUID | MS_NODEV | MS_STRICTATIME);
       }
     } else {
@@ -199,8 +207,8 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
               "tmpfs",
               MS_NOSUID | MS_NODEV | MS_STRICTATIME,
               shmSize.isSome() ?
-                strings::format("mode=1777,size=%d", shmSize->bytes()).get() :
-                "mode=1777");
+                strings::format("mode=0700,size=%d,uid=%s", shmSize->bytes(), user).get() :
+                strings::format("mode=0700,uid=%s", user));
 
           if (mnt.isError()) {
             return Failure("Failed to mount '" + shmPath + "': " + mnt.error());
@@ -267,7 +275,8 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
             "tmpfs",
             path::join(containerConfig.rootfs(), "/dev/shm"),
             "tmpfs",
-            "mode=1777",
+            "mode=0700",
+            strings::format("uid=%s", user),
             MS_NOSUID | MS_NODEV | MS_STRICTATIME);
       }
     } else {
@@ -295,8 +304,8 @@ Future<Option<ContainerLaunchInfo>> NamespacesIPCIsolatorProcess::prepare(
               "tmpfs",
               MS_NOSUID | MS_NODEV | MS_STRICTATIME,
               shmSize.isSome() ?
-                strings::format("mode=1777,size=%d", shmSize->bytes()).get() :
-                "mode=1777");
+                strings::format("mode=0700,size=%d,uid=%s", shmSize->bytes(), user).get() :
+                strings::format("mode=0700,uid=%s", user));
 
           if (mnt.isError()) {
             return Failure("Failed to mount '" + shmPath + "': " + mnt.error());