From d87da59c79eabb794087f731d3ad51ea98f7a3cc Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 20 Apr 2015 11:58:24 -0700 Subject: [PATCH] Prevent write access to /proc/asound Signed-off-by: Michael Crosby Conflicts: integration-cli/docker_cli_run_test.go --- .../native/template/default_template.go | 6 +++++- integration-cli/docker_cli_run_test.go | 21 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/daemon/execdriver/native/template/default_template.go b/daemon/execdriver/native/template/default_template.go index 76e3cea787..530bd95960 100644 --- a/daemon/execdriver/native/template/default_template.go +++ b/daemon/execdriver/native/template/default_template.go @@ -84,7 +84,11 @@ func New() *configs.Config { "/proc/kcore", }, ReadonlyPaths: []string{ - "/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus", + "/proc/asound", + "/proc/bus", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", }, } diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 626cc3583a..3e01fb1a29 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -3056,3 +3056,24 @@ func (s *DockerSuite) TestRunPidHostWithChildIsKillable(c *check.C) { c.Fatal("Kill container timed out") } } + +func TestRunWithTooSmallMemoryLimit(t *testing.T) { + defer deleteAllContainers() + // this memory limit is 1 byte less than the min, which is 4MB + // https://github.com/docker/docker/blob/v1.5.0/daemon/create.go#L22 + out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "-m", "4194303", "busybox")) + if err == nil || !strings.Contains(out, "Minimum memory limit allowed is 4MB") { + t.Fatalf("expected run to fail when using too low a memory limit: %q", out) + } + + logDone("run - can't set too low memory limit") +} + +func TestRunWriteToProcAsound(t *testing.T) { + defer deleteAllContainers() + code, err := runCommand(exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo 111 >> /proc/asound/version")) + if err == nil || code == 0 { + t.Fatal("standard container should not be able to write to /proc/asound") + } + logDone("run - ro write to /proc/asound") +}