Skip to content

[ML] Add getpriority/setpriority to Linux system call whitelist #1117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

droberts195
Copy link
Contributor

This is to support #1109.

The risk with setpriority is that it can possibly be used on a
different process. However, it is extremely unlikely that the
user that Elasticsearch is running as in production will have
been granted permission to call it. Running as root is banned
and it's an extra admin action to grant the privilege to any
other user and there is no good reason for it to have been
granted to the Elasticsearch user.

This is to support elastic#1109.

The risk with setpriority is that it can possibly be used on a
different process.  However, it is extremely unlikely that the
user that Elasticsearch is running as in production will have
been granted permission to call it.  Running as root is banned
and it's an extra admin action to grant the privilege to any
other user and there is no good reason for it to have been
granted to the Elasticsearch user.
Copy link
Contributor

@tveasey tveasey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems fine to me.

@droberts195
Copy link
Contributor Author

retest

@droberts195 droberts195 merged commit c3910aa into elastic:master Apr 3, 2020
@droberts195 droberts195 deleted the add_priority_to_syscall_whitelist branch April 3, 2020 16:05
droberts195 added a commit to droberts195/ml-cpp that referenced this pull request Apr 3, 2020
This is to support elastic#1109.

The risk with setpriority is that it can possibly be used on a
different process.  However, it is extremely unlikely that the
user that Elasticsearch is running as in production will have
been granted permission to call it.  Running as root is banned
and it's an extra admin action to grant the privilege to any
other user and there is no good reason for it to have been
granted to the Elasticsearch user.

Backport of elastic#1117
droberts195 added a commit that referenced this pull request Apr 3, 2020
…1124)

This is to support #1109.

The risk with setpriority is that it can possibly be used on a
different process.  However, it is extremely unlikely that the
user that Elasticsearch is running as in production will have
been granted permission to call it.  Running as root is banned
and it's an extra admin action to grant the privilege to any
other user and there is no good reason for it to have been
granted to the Elasticsearch user.

Backport of #1117
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants