[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] El Capitan and Sandbox



We have a fix for this problem. It will be included in HTCondor 8.4.9 and 8.5.7.
https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=5777

 - Jaime

> On Jul 6, 2016, at 1:33 PM, Kolja Kauder <kkauder@xxxxxxxxx> wrote:
> 
> I would very much appreciate it when you find the time and Mac :)
> 
> Thanks,
> Kolja
> 
> On Wed, Jul 6, 2016 at 2:30 PM, Jaime Frey <jfrey@xxxxxxxxxxx> wrote:
>> HTCondor can be made smarter about this. It collects basic information about all processes on the system (pid, ppid, cpu/memory usage), constructs a tree of parent-child relationships, then queries this data for various purposes.
>> These are mainly tracking the cpu/memory usage of jobs while they run and identifying the descendants of an HTCondor daemon or job so that they can be killed along with the ancestor.
>> task_for_pid() is used to collect the cpu and memory usage of each process. HTCondor doesn't need to collect that for system processes. If we could identify SIP-protected processes and skip the task_for_pid() call for them, I believe that would eliminate the system log spam.
>> 
>> Unfortunately, my Mac died right around when this email thread began, so I can't work on a fix at the moment.
>> 
>> - Jaime Frey
>> 
>> -----Original Message-----
>> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx]
>> 
>> Rich,
>> 
>> I instinctively recoil at circumventing security features on this machine, but you have a point; I will mull on it.
>> 
>> BTW, this error comes from procd trying to call task_for_pid which is now heavily regulated.
>> 
>> Thanks,
>> Kolja
>> 
>> On Thu, Jun 23, 2016 at 3:44 PM, Rich Pieri <ratinox@xxxxxxx> wrote:
>>> On 6/23/16 3:21 PM, Kolja Kauder wrote:
>>>> Since the machine is a visible server, that won't be a secure
>>>> long-term solution. It would however allow me to edit the Sandbox
>>> 
>>> I fail to see how this follows. SIP offers no protection against
>>> remote attacks and essentially no local protection given how easy it
>>> is to exploit privileged binaries.
>>> 
>>>> settings. Do I guess correctly that I only need to add a file called
>>>> condor_procd.sb containing (allow mach-priv-task-port
>>>>       (*) )
>>>> ? (I didn't expect to ever use LISP outside .emacs :)
>>> 
>>> My understanding is that changes to protected areas will be undone
>>> when you enable SIP. There may be ways around this but you'll have to
>>> go digging into the csrutil man pages to find them.
>>> 
>>> --
>>> Rich Pieri <ratinox@xxxxxxx>
>>> MIT Laboratory for Nuclear Science

Thanks and regards,
Jaime Frey
UW-Madison HTCondor Project