Browse code
Don't mount /proc as ro
This caused a regression with LSM labeling.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Michael Crosby authored on 2015/07/31 02:26:45Showing 3 changed files
- daemon/execdriver/native/create.go
- integration-cli/docker_cli_exec_test.go
- integration-cli/docker_cli_run_test.go
| ... | ... |
@@ -85,7 +85,7 @@ func (d *Driver) createContainer(c *execdriver.Command) (*configs.Config, error) |
| 85 | 85 |
} |
| 86 | 86 |
|
| 87 | 87 |
/* These paths must be remounted as r/o */ |
| 88 |
- container.ReadonlyPaths = append(container.ReadonlyPaths, "/proc", "/dev") |
|
| 88 |
+ container.ReadonlyPaths = append(container.ReadonlyPaths, "/dev") |
|
| 89 | 89 |
} |
| 90 | 90 |
|
| 91 | 91 |
if err := d.setupMounts(container, c); err != nil {
|
| ... | ... |
@@ -543,3 +543,10 @@ func (s *DockerSuite) TestExecWithImageUser(c *check.C) {
|
| 543 | 543 |
c.Fatalf("exec with user by id expected dockerio user got %s", out)
|
| 544 | 544 |
} |
| 545 | 545 |
} |
| 546 |
+ |
|
| 547 |
+func (s *DockerSuite) TestExecOnReadonlyContainer(c *check.C) {
|
|
| 548 |
+ dockerCmd(c, "run", "-d", "--read-only", "--name", "parent", "busybox", "top") |
|
| 549 |
+ if _, status := dockerCmd(c, "exec", "parent", "true"); status != 0 {
|
|
| 550 |
+ c.Fatalf("exec into a read-only container failed with exit status %d", status)
|
|
| 551 |
+ } |
|
| 552 |
+} |
| ... | ... |
@@ -2242,7 +2242,7 @@ func (s *DockerSuite) TestRunContainerWithWritableRootfs(c *check.C) {
|
| 2242 | 2242 |
func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) {
|
| 2243 | 2243 |
testRequires(c, NativeExecDriver) |
| 2244 | 2244 |
|
| 2245 |
- for _, f := range []string{"/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/proc/uptime", "/sys/kernel", "/dev/.dont.touch.me"} {
|
|
| 2245 |
+ for _, f := range []string{"/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel", "/dev/.dont.touch.me"} {
|
|
| 2246 | 2246 |
testReadOnlyFile(f, c) |
| 2247 | 2247 |
} |
| 2248 | 2248 |
} |