Allow libcontainer to eval symlink destination

Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Add tests for mounting into /proc and /sys These two locations should be prohibited from mounting volumes into those destinations. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2022-11-09 12:21:53 -05:00 · 2015-04-21 17:31:05 -07:00 · 2015-04-21 17:31:05 -07:00 · f25bbedc85
commit f25bbedc85
parent 2f54c1a352
2 changed files with 19 additions and 8 deletions
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@ -6,12 +6,10 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"path/filepath"
 	"strings"
 	"syscall"

 	"github.com/docker/docker/daemon/execdriver"
-	"github.com/docker/docker/pkg/symlink"
 	"github.com/docker/libcontainer/apparmor"
 	"github.com/docker/libcontainer/configs"
 	"github.com/docker/libcontainer/devices"
@ -231,10 +229,6 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e
 	container.Mounts = defaultMounts

 	for _, m := range c.Mounts {
-		dest, err := symlink.FollowSymlinkInScope(filepath.Join(c.Rootfs, m.Destination), c.Rootfs)
-		if err != nil {
-			return err
-		}
 		flags := syscall.MS_BIND | syscall.MS_REC
 		if !m.Writable {
 			flags |= syscall.MS_RDONLY
@ -242,10 +236,9 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e
 		if m.Slave {
 			flags |= syscall.MS_SLAVE
 		}
-
 		container.Mounts = append(container.Mounts, &configs.Mount{
 			Source:      m.Source,
-			Destination: dest,
+			Destination: m.Destination,
 			Device:      "bind",
 			Flags:       flags,
 		})
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -3107,3 +3107,21 @@ func TestRunReadProcLatency(t *testing.T) {
 	}
 	logDone("run - read /proc/latency_stats")
 }
+
+func TestMountIntoProc(t *testing.T) {
+	defer deleteAllContainers()
+	code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/proc//sys", "busybox", "true"))
+	if err == nil || code == 0 {
+		t.Fatal("container should not be able to mount into /proc")
+	}
+	logDone("run - mount into proc")
+}
+
+func TestMountIntoSys(t *testing.T) {
+	defer deleteAllContainers()
+	code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/sys/", "busybox", "true"))
+	if err == nil || code == 0 {
+		t.Fatal("container should not be able to mount into /sys")
+	}
+	logDone("run - mount into sys")
+}