diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index fbad9f1301..ffec5ec6c3 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -6,12 +6,10 @@ import ( "errors" "fmt" "net" - "path/filepath" "strings" "syscall" "github.com/docker/docker/daemon/execdriver" - "github.com/docker/docker/pkg/symlink" "github.com/docker/libcontainer/apparmor" "github.com/docker/libcontainer/configs" "github.com/docker/libcontainer/devices" @@ -231,10 +229,6 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e container.Mounts = defaultMounts for _, m := range c.Mounts { - dest, err := symlink.FollowSymlinkInScope(filepath.Join(c.Rootfs, m.Destination), c.Rootfs) - if err != nil { - return err - } flags := syscall.MS_BIND | syscall.MS_REC if !m.Writable { flags |= syscall.MS_RDONLY @@ -242,10 +236,9 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e if m.Slave { flags |= syscall.MS_SLAVE } - container.Mounts = append(container.Mounts, &configs.Mount{ Source: m.Source, - Destination: dest, + Destination: m.Destination, Device: "bind", Flags: flags, }) diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 3b6c2e77e7..e343007b0c 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -3107,3 +3107,21 @@ func TestRunReadProcLatency(t *testing.T) { } logDone("run - read /proc/latency_stats") } + +func TestMountIntoProc(t *testing.T) { + defer deleteAllContainers() + code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/proc//sys", "busybox", "true")) + if err == nil || code == 0 { + t.Fatal("container should not be able to mount into /proc") + } + logDone("run - mount into proc") +} + +func TestMountIntoSys(t *testing.T) { + defer deleteAllContainers() + code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/sys/", "busybox", "true")) + if err == nil || code == 0 { + t.Fatal("container should not be able to mount into /sys") + } + logDone("run - mount into sys") +}