From b4963c87b234c5ea50331dfaefa978acba78080c Mon Sep 17 00:00:00 2001
From: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Date: Mon, 8 Feb 2016 16:51:45 -0800
Subject: [PATCH] Prevent mqueue from implicitely becoming a bind mount with
 --ipc=host

Currently, when running a container with --ipc=host, if /dev/mqueue is
a standard directory on the hos the daemon will bind mount it allowing
the container to create/modify files on the host.

This commit forces /dev/mqueue to always be of type mqueue except when
the user explicitely requested something to be bind mounted to
/dev/mqueue.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
(cherry picked from commit f7d4abdc00d521509995da1070215c808fe0fd9c)

From PR #20133
---
 container/container_unix.go            | 10 ----------
 daemon/container_operations_unix.go    |  4 ----
 integration-cli/docker_cli_run_test.go | 23 +++++++++++++++++++++--
 3 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/container/container_unix.go b/container/container_unix.go
index 65a58cdf5f..b8bae23112 100644
--- a/container/container_unix.go
+++ b/container/container_unix.go
@@ -44,7 +44,6 @@ type Container struct {
 	HostnamePath    string
 	HostsPath       string
 	ShmPath         string
-	MqueuePath      string
 	ResolvConfPath  string
 	SeccompProfile  string
 }
@@ -581,15 +580,6 @@ func (container *Container) IpcMounts() []execdriver.Mount {
 			Propagation: volume.DefaultPropagationMode,
 		})
 	}
-	if !container.HasMountFor("/dev/mqueue") &&
-		container.MqueuePath != "" {
-		mounts = append(mounts, execdriver.Mount{
-			Source:      container.MqueuePath,
-			Destination: "/dev/mqueue",
-			Writable:    true,
-			Propagation: volume.DefaultPropagationMode,
-		})
-	}
 	return mounts
 }
 
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 6fe5445bb5..a96e394f47 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -106,11 +106,7 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
 			if _, err := os.Stat("/dev/shm"); err != nil {
 				return fmt.Errorf("/dev/shm is not mounted, but must be for --ipc=host")
 			}
-			if _, err := os.Stat("/dev/mqueue"); err != nil {
-				return fmt.Errorf("/dev/mqueue is not mounted, but must be for --ipc=host")
-			}
 			c.ShmPath = "/dev/shm"
-			c.MqueuePath = "/dev/mqueue"
 		}
 	}
 
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index e4f8045fdc..0c1cc5fcbd 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -2365,7 +2365,7 @@ func (s *DockerSuite) TestRunModeIpcContainer(c *check.C) {
 	// Not applicable on Windows as uses Unix-specific capabilities
 	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
 
-	out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && top")
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && touch /dev/mqueue/toto && top")
 
 	id := strings.TrimSpace(out)
 	state, err := inspectField(id, "State.Running")
@@ -2391,6 +2391,18 @@ func (s *DockerSuite) TestRunModeIpcContainer(c *check.C) {
 	if catOutput != "test" {
 		c.Fatalf("Output of /dev/shm/test expected test but found: %s", catOutput)
 	}
+
+	// check that /dev/mqueue is actually of mqueue type
+	grepOutput, _ := dockerCmd(c, "run", fmt.Sprintf("--ipc=container:%s", id), "busybox", "grep", "/dev/mqueue", "/proc/mounts")
+	if !strings.HasPrefix(grepOutput, "mqueue /dev/mqueue mqueue rw") {
+		c.Fatalf("Output of 'grep /proc/mounts' expected 'mqueue /dev/mqueue mqueue rw' but found: %s", grepOutput)
+	}
+
+	lsOutput, _ := dockerCmd(c, "run", fmt.Sprintf("--ipc=container:%s", id), "busybox", "ls", "/dev/mqueue")
+	lsOutput = strings.Trim(lsOutput, "\n")
+	if lsOutput != "toto" {
+		c.Fatalf("Output of 'ls /dev/mqueue' expected 'toto' but found: %s", lsOutput)
+	}
 }
 
 func (s *DockerSuite) TestRunModeIpcContainerNotExists(c *check.C) {
@@ -2419,7 +2431,9 @@ func (s *DockerSuite) TestRunMountShmMqueueFromHost(c *check.C) {
 	// Not applicable on Windows as uses Unix-specific capabilities
 	testRequires(c, SameHostDaemon, DaemonIsLinux)
 
-	dockerCmd(c, "run", "-d", "--name", "shmfromhost", "-v", "/dev/shm:/dev/shm", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && top")
+	dockerCmd(c, "run", "-d", "--name", "shmfromhost", "-v", "/dev/shm:/dev/shm", "-v", "/dev/mqueue:/dev/mqueue", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && touch /dev/mqueue/toto && top")
+	defer os.Remove("/dev/mqueue/toto")
+	defer os.Remove("/dev/shm/test")
 	volPath, err := inspectMountSourceField("shmfromhost", "/dev/shm")
 	c.Assert(err, check.IsNil)
 	if volPath != "/dev/shm" {
@@ -2430,6 +2444,11 @@ func (s *DockerSuite) TestRunMountShmMqueueFromHost(c *check.C) {
 	if out != "test" {
 		c.Fatalf("Output of /dev/shm/test expected test but found: %s", out)
 	}
+
+	// Check that the mq was created
+	if _, err := os.Stat("/dev/mqueue/toto"); err != nil {
+		c.Fatalf("Failed to confirm '/dev/mqueue/toto' presence on host: %s", err.Error())
+	}
 }
 
 func (s *DockerSuite) TestContainerNetworkMode(c *check.C) {