Allow libcontainer to eval symlink destination
Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Add tests for mounting into /proc and /sys These two locations should be prohibited from mounting volumes into those destinations. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
Michael Crosby
Jessica Frazelle
parent
2f54c1a352
commit
f25bbedc85
|
|
@ -6,12 +6,10 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"github.com/docker/docker/daemon/execdriver"
|
||||
"github.com/docker/docker/pkg/symlink"
|
||||
"github.com/docker/libcontainer/apparmor"
|
||||
"github.com/docker/libcontainer/configs"
|
||||
"github.com/docker/libcontainer/devices"
|
||||
|
|
@ -231,10 +229,6 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e
|
|||
container.Mounts = defaultMounts
|
||||
|
||||
for _, m := range c.Mounts {
|
||||
dest, err := symlink.FollowSymlinkInScope(filepath.Join(c.Rootfs, m.Destination), c.Rootfs)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
flags := syscall.MS_BIND | syscall.MS_REC
|
||||
if !m.Writable {
|
||||
flags |= syscall.MS_RDONLY
|
||||
|
|
@ -242,10 +236,9 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e
|
|||
if m.Slave {
|
||||
flags |= syscall.MS_SLAVE
|
||||
}
|
||||
|
||||
container.Mounts = append(container.Mounts, &configs.Mount{
|
||||
Source: m.Source,
|
||||
Destination: dest,
|
||||
Destination: m.Destination,
|
||||
Device: "bind",
|
||||
Flags: flags,
|
||||
})
|
||||
|
|
|
|||
|
|
@ -3107,3 +3107,21 @@ func TestRunReadProcLatency(t *testing.T) {
|
|||
}
|
||||
logDone("run - read /proc/latency_stats")
|
||||
}
|
||||
|
||||
func TestMountIntoProc(t *testing.T) {
|
||||
defer deleteAllContainers()
|
||||
code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/proc//sys", "busybox", "true"))
|
||||
if err == nil || code == 0 {
|
||||
t.Fatal("container should not be able to mount into /proc")
|
||||
}
|
||||
logDone("run - mount into proc")
|
||||
}
|
||||
|
||||
func TestMountIntoSys(t *testing.T) {
|
||||
defer deleteAllContainers()
|
||||
code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/sys/", "busybox", "true"))
|
||||
if err == nil || code == 0 {
|
||||
t.Fatal("container should not be able to mount into /sys")
|
||||
}
|
||||
logDone("run - mount into sys")
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue