Mask reads from timer_stats and latency_stats

These files in /proc should not be able to be read as well as written to. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2022-11-09 12:21:53 -05:00 · 2015-04-29 11:20:31 -07:00 · 2015-04-29 11:20:31 -07:00 · a7a51306b1
commit a7a51306b1
parent 27ae108b4e
2 changed files with 25 additions and 13 deletions
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@ -82,16 +82,16 @@ func New() *configs.Config {
 		},
 		MaskPaths: []string{
 			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_stats",
 		},
 		ReadonlyPaths: []string{
 			"/proc/asound",
 			"/proc/bus",
 			"/proc/fs",
 			"/proc/irq",
-			"/proc/latency_stats",
 			"/proc/sys",
 			"/proc/sysrq-trigger",
-			"/proc/timer_stats",
 		},
 	}

--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -3078,20 +3078,32 @@ func TestRunWriteToProcAsound(t *testing.T) {
 	logDone("run - ro write to /proc/asound")
 }

-func TestRunWriteToProcTimer(t *testing.T) {
+func TestRunReadProcTimer(t *testing.T) {
 	defer deleteAllContainers()
-	code, err := runCommand(exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo 1 >> /proc/timer_stats"))
-	if err == nil || code == 0 {
-		t.Fatal("standard container should not be able to write to /proc/timer_stats")
+	out, code, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "busybox", "cat", "/proc/timer_stats"))
+	if err != nil || code != 0 {
+		t.Fatal(err)
 	}
-	logDone("run - ro write to /proc/timer_stats")
+	if strings.Trim(out, "\n ") != "" {
+		t.Fatalf("expected to receive no output from /proc/timer_stats but received %q", out)
+	}
+	logDone("run - read /proc/timer_stats")
 }

-func TestRunWriteToProcLatency(t *testing.T) {
-	defer deleteAllContainers()
-	code, err := runCommand(exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo 1 >> /proc/latency_stats"))
-	if err == nil || code == 0 {
-		t.Fatal("standard container should not be able to write to /proc/latency_stats")
+func TestRunReadProcLatency(t *testing.T) {
+	// some kernels don't have this configured so skip the test if this file is not found
+	// on the host running the tests.
+	if _, err := os.Stat("/proc/latency_stats"); err != nil {
+		t.Skip()
+		return
 	}
-	logDone("run - ro write to /proc/latency_stats")
+	defer deleteAllContainers()
+	out, code, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "busybox", "cat", "/proc/latency_stats"))
+	if err != nil || code != 0 {
+		t.Fatal(err)
+	}
+	if strings.Trim(out, "\n ") != "" {
+		t.Fatalf("expected to receive no output from /proc/latency_stats but received %q", out)
+	}
+	logDone("run - read /proc/latency_stats")
 }