Merge pull request #14965 from stefanberger/nohidevols2

Have network files mounted read-only when -v parameter has 'ro' passed
2022-11-09 12:21:53 -05:00 · 2015-08-07 19:10:59 -07:00 · 2015-08-07 19:10:59 -07:00 · 196aa6d62d
commit 196aa6d62d
parent 1e2765dabb 38295d4b48
3 changed files with 75 additions and 16 deletions
--- a/daemon/container_unix.go
+++ b/daemon/container_unix.go
@ -1128,28 +1128,40 @@ func (container *Container) networkMounts() []execdriver.Mount {
 	}
 	if container.ResolvConfPath != "" {
 		label.Relabel(container.ResolvConfPath, container.MountLabel, mode)
+		writable := !container.hostConfig.ReadonlyRootfs
+		if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {
+			writable = m.RW
+		}
 		mounts = append(mounts, execdriver.Mount{
 			Source:      container.ResolvConfPath,
 			Destination: "/etc/resolv.conf",
-			Writable:    !container.hostConfig.ReadonlyRootfs,
+			Writable:    writable,
 			Private:     true,
 		})
 	}
 	if container.HostnamePath != "" {
 		label.Relabel(container.HostnamePath, container.MountLabel, mode)
+		writable := !container.hostConfig.ReadonlyRootfs
+		if m, exists := container.MountPoints["/etc/hostname"]; exists {
+			writable = m.RW
+		}
 		mounts = append(mounts, execdriver.Mount{
 			Source:      container.HostnamePath,
 			Destination: "/etc/hostname",
-			Writable:    !container.hostConfig.ReadonlyRootfs,
+			Writable:    writable,
 			Private:     true,
 		})
 	}
 	if container.HostsPath != "" {
 		label.Relabel(container.HostsPath, container.MountLabel, mode)
+		writable := !container.hostConfig.ReadonlyRootfs
+		if m, exists := container.MountPoints["/etc/hosts"]; exists {
+			writable = m.RW
+		}
 		mounts = append(mounts, execdriver.Mount{
 			Source:      container.HostsPath,
 			Destination: "/etc/hosts",
-			Writable:    !container.hostConfig.ReadonlyRootfs,
+			Writable:    writable,
 			Private:     true,
 		})
 	}
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -2561,23 +2561,58 @@ func (s *DockerSuite) TestRunWriteFilteredProc(c *check.C) {

 func (s *DockerSuite) TestRunNetworkFilesBindMount(c *check.C) {
 	testRequires(c, SameHostDaemon)
-	name := "test-nwfiles-mount"
-
-	f, err := ioutil.TempFile("", name)
-	c.Assert(err, check.IsNil)
-
-	filename := f.Name()
-	defer os.Remove(filename)

 	expected := "test123"

-	err = ioutil.WriteFile(filename, []byte(expected), 0644)
-	c.Assert(err, check.IsNil)
+	filename := createTmpFile(c, expected)
+	defer os.Remove(filename)

-	var actual string
-	actual, _ = dockerCmd(c, "run", "-v", filename+":/etc/resolv.conf", "busybox", "cat", "/etc/resolv.conf")
-	if actual != expected {
-		c.Fatalf("expected resolv.conf be: %q, but was: %q", expected, actual)
+	nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
+
+	for i := range nwfiles {
+		actual, _ := dockerCmd(c, "run", "-v", filename+":"+nwfiles[i], "busybox", "cat", nwfiles[i])
+		if actual != expected {
+			c.Fatalf("expected %s be: %q, but was: %q", nwfiles[i], expected, actual)
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunNetworkFilesBindMountRO(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	filename := createTmpFile(c, "test123")
+	defer os.Remove(filename)
+
+	nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
+
+	for i := range nwfiles {
+		_, exitCode, err := dockerCmdWithError("run", "-v", filename+":"+nwfiles[i]+":ro", "busybox", "touch", nwfiles[i])
+		if err == nil || exitCode == 0 {
+			c.Fatalf("run should fail because bind mount of %s is ro: exit code %d", nwfiles[i], exitCode)
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunNetworkFilesBindMountROFilesystem(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	filename := createTmpFile(c, "test123")
+	defer os.Remove(filename)
+
+	nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
+
+	for i := range nwfiles {
+		_, exitCode := dockerCmd(c, "run", "-v", filename+":"+nwfiles[i], "--read-only", "busybox", "touch", nwfiles[i])
+		if exitCode != 0 {
+			c.Fatalf("run should not fail because %s is mounted writable on read-only root filesystem: exit code %d", nwfiles[i], exitCode)
+		}
+	}
+
+	for i := range nwfiles {
+		_, exitCode, err := dockerCmdWithError("run", "-v", filename+":"+nwfiles[i]+":ro", "--read-only", "busybox", "touch", nwfiles[i])
+		if err == nil || exitCode == 0 {
+			c.Fatalf("run should fail because %s is mounted read-only on read-only root filesystem: exit code %d", nwfiles[i], exitCode)
+		}
 	}
 }

--- a/integration-cli/docker_utils.go
+++ b/integration-cli/docker_utils.go
@ -1341,3 +1341,15 @@ func appendBaseEnv(env []string) []string {
 	}
 	return env
 }
+
+func createTmpFile(c *check.C, content string) string {
+	f, err := ioutil.TempFile("", "testfile")
+	c.Assert(err, check.IsNil)
+
+	filename := f.Name()
+
+	err = ioutil.WriteFile(filename, []byte(content), 0644)
+	c.Assert(err, check.IsNil)
+
+	return filename
+}