Browse code
Prevent write access to /proc/asound
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Conflicts:
integration-cli/docker_cli_run_test.go
Michael Crosby authored on 2015/04/21 03:58:24Showing 2 changed files
| ... | ... |
@@ -84,7 +84,11 @@ func New() *configs.Config {
|
| 84 | 84 |
"/proc/kcore", |
| 85 | 85 |
}, |
| 86 | 86 |
ReadonlyPaths: []string{
|
| 87 |
- "/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus", |
|
| 87 |
+ "/proc/asound", |
|
| 88 |
+ "/proc/bus", |
|
| 89 |
+ "/proc/irq", |
|
| 90 |
+ "/proc/sys", |
|
| 91 |
+ "/proc/sysrq-trigger", |
|
| 88 | 92 |
}, |
| 89 | 93 |
} |
| 90 | 94 |
|
| ... | ... |
@@ -3056,3 +3056,24 @@ func (s *DockerSuite) TestRunPidHostWithChildIsKillable(c *check.C) {
|
| 3056 | 3056 |
c.Fatal("Kill container timed out")
|
| 3057 | 3057 |
} |
| 3058 | 3058 |
} |
| 3059 |
+ |
|
| 3060 |
+func TestRunWithTooSmallMemoryLimit(t *testing.T) {
|
|
| 3061 |
+ defer deleteAllContainers() |
|
| 3062 |
+ // this memory limit is 1 byte less than the min, which is 4MB |
|
| 3063 |
+ // https://github.com/docker/docker/blob/v1.5.0/daemon/create.go#L22 |
|
| 3064 |
+ out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "-m", "4194303", "busybox")) |
|
| 3065 |
+ if err == nil || !strings.Contains(out, "Minimum memory limit allowed is 4MB") {
|
|
| 3066 |
+ t.Fatalf("expected run to fail when using too low a memory limit: %q", out)
|
|
| 3067 |
+ } |
|
| 3068 |
+ |
|
| 3069 |
+ logDone("run - can't set too low memory limit")
|
|
| 3070 |
+} |
|
| 3071 |
+ |
|
| 3072 |
+func TestRunWriteToProcAsound(t *testing.T) {
|
|
| 3073 |
+ defer deleteAllContainers() |
|
| 3074 |
+ code, err := runCommand(exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo 111 >> /proc/asound/version")) |
|
| 3075 |
+ if err == nil || code == 0 {
|
|
| 3076 |
+ t.Fatal("standard container should not be able to write to /proc/asound")
|
|
| 3077 |
+ } |
|
| 3078 |
+ logDone("run - ro write to /proc/asound")
|
|
| 3079 |
+} |